Why CMMC?
CMMC = Cybersecurity Maturity Model Certification (for DoD contractors)
The DoD has realized that its subcontractors are the Achilles heel of the nation's security. While prime contractors have been heavily regulated and have large budgets for cybersecurity, past compliance or market pressure has not required the same of subcontractors.
Little bit of History
So, beginning in 2017, subcontractors were required to complete an SSP (System Security Plan), an assessment of where they stood relative to that SSP along with a POA&M (Plan of Actions & Milestones) to close the gap. The assessment used the NIST 800–171 standard. The standard includes 110 controls each of which requires an analysis of the organization's response to the need and the outcomes of any implementation.
To complicate things further, in 2019, the DoD realized that neither the acquisition officers working for the government and primes nor the subcontractors had been effectively responding to the regulation. So, Congress and the DoD commissioned an updated regulation and standard termed CMMC (Cybersecurity Maturity Model Certification) be created and required for all DoD contracts starting in September 2020.
Help!
There are few tools on the market to help subcontractors or their consultants deal with the need for compliance either with the existing NIST 800–171 standard much less the forthcoming CMMC. Of the existent tools, most are described as online spreadsheets, with little help for the vast number of affected companies, many of which have little or no IT staff, nor experience with compliance.
Yet, the DoD has identified that 360,000 companies that need to be compliant.
The current State of CMMC
The CMMC is in version 0.4 on a path to finish at version 0.7 by the end of the year, and then go about the process of hiring and training auditors. Version 0.4 is a superset of the current NIST 800–171, but it gives smaller subcontractors a break, holding them accountable for less than the current NIST 800–171. In a fantastic move, rather than relying on one standard, the CMMC pulls from the best of many standards.
CMMC will deliver certainty to each contractor as to whether they are qualified to bid on a particular job. That certainty is much needed. Looking forward to seeing how the standard develops over the next few months.
