On Nov. 8, the Office of the Undersecretary of Defense for Acquisition and Sustainment (OSD) released part of Version 0.6 of the draft Cybersecurity Maturity Model Certification (CMMC). This version includes CMMC Levels 1-3, but not Levels 4-5. According to OSD, “CMMC Levels 4-5 are not included in this release because public comments are still being addressed.” Updates to Levels 4-5 are expected to be provided in the next public release. According to OSD, the CMMC model will continue to be improved with the finalization of Version 1.0 in January 2020. The Department of Defense (DOD) will begin including the final CMMC model as “go/no go” in all solicitations starting in Fall 2020.
The purpose of CMMC is to become the “unified cybersecurity standard” for all DOD contractors. Under this model, defense contractors, including subcontractors, will be required to be certified among the different levels in order to be eligible for contract award. The level of security is determined based on the security requirements needs for each defense contract. This differs from previous cybersecurity mandates as CMMC will require contractors to obtain a third-party certification.
Although OSD had announced that an additional round of public comments would be solicited for the draft Version 0.6 in November 2019, as of this article there has been no request for comment and references to a second comment period have been removed. AGC has urged OSD to allow for a second round of comments and for significantly more time to review Version 0.6. AGC was disappointed to see that stakeholders were given just 21 days to review and comment on the v.0.4 CMMC Model.
DOD has previously stated that the agency did not plan on auditing contractors’ electronic devices, but would rely on contractors attesting to their compliance with the requirements. However, OSD is no longer satisfied with this approach and now wants a much stricter “trust but verify” application using the CMMC model.
AGC has communicated the difficulty many contractors have had implementing these new cybersecurity requirements and the challenges that the CMMC model brings. OSD acknowledges the challenge of being 100% complaint with CMMC, but suggest a firm’s “policies, plans, processes, and procedures” may offset the need for full compliance.
On September 25, AGC, along with a coalition of stakeholders, filed comments on Version 0.4 CMMC. AGC will continue to follow this issue and will update members as development grows.
For more information, contact Jordan Howard at firstname.lastname@example.org or (703) 837-5368.