The Cybersecurity Maturity Model Certification (CMMC) was developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) to replace the self-certification previously required to demonstrate compliance with the NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” Under the new process, compliance will be assessed by an independent third party, authorized by an independent accrediting body. This is very much a work in process and to date (12 December 2019) no accrediting body has been created, nor have any companies been authorized to provide the accreditation services. It is expected that third party assessors will begin their training in Q1 of 2020, if everything goes according to schedule.
It is expected that contracts will start coming out in September 2020 with CMMC requirements. When that occurs, it will be a go/no go decision based on the outcome of the independent third-party assessment. There will not be an opportunity to POA&M deficiencies. There will be 5 levels that can be achieved with level one being basic cyber hygiene through level 5 being state of the art cybersecurity program.
CMMC Estimated Timeline
- CMMC Rev 1 Release – January 2020
- Certifying Assessors – June 2020
- RFIs – June 2020
- RFPs – September 2020
The Cybersecurity Maturity Model Certification Training is targeted for all personnel within the Defense Industrial base (DIB) that conduct work with the Department of Defense (DoD). Compliance with this new requirement is mandatory for all contractors who continue working with the DoD, regardless of company size or role on contracts.