Defense

DOD’s final cyber standards for contractors coming this week

New CMMC rules are expected by the end of the week as more details emerge about the changes the cyber standards will bring.

By Jackson Barnett

January 28, 2020

The Air Force Memorial and the Pentagon in Arlington, Virginia. (REUTERS / Joshua Roberts)

The Department of Defense’s new cybersecurity certification standards for contractors are officially arriving later this week, and the plan is to have about 1,500 companies certified by next year as the requirements start to pop up in contracts, officials said Tuesday.

For now, the program’s newly formed certification board is preparing to train and certify assessors, but it does not have a projection as to how many of the cybersecurity specialists will initially be available and when, board member Mark Berman said. The board, a nonprofit, is housed outside of DOD.

The Cybersecurity Maturity Model Certification process will subject all DOD contractors to third-party cybersecurity assessments, with the goal of protecting the military’s entire supply chain. The program is replacing the DOD’s current reference document — the National Institute of Science and Technology’s standards for cybersecurity — with a five-level rating system.

The vast majority of contractors will need only to meet the first level, but even that level of accreditation will still require an in-person assessment by a certifier, officials said.

Industry must move away from self-assured “checklist” security and have continuous security principles baked into its work, said Katie Arrington, special cyber assistant to the assistant secretary of defense for acquisition who has led the creation of CMMC.

“CMMC is meant to create critical thinking around cybersecurity,” Arrington said during an explanatory event Tuesday hosted by Holland and Knight.

The move away from self-certification is one of the major changes that will appear in the finalized CMMC model after the department has circulated several rounds of drafts and parts of the plans in the past months. Arrington and others admitted the existing reliance on self-certification has been a failure with defense technology being stolen by adversary nation-states and criminal organizations alike.

“They are done because they have not worked,” Arrington said of self-certifications.

Implementing CMMC will be a “team sport,” Ty Schriber, another accreditation board member, said during the panel discussion.

Despite large pushes from Arrington and others to get the word out in Washington, D.C., and on listening tours around the country, a recent study found low recognition of the program from defense contractors. Only a quarter of surveyed defense contractors could accurately identify what CMMC stands for.

The DOD projects a slow rollout of CMMC into contracts but hopes the transition will be smooth as businesses realize the threat from cyberattacks. Arrington assured contractors that the government will work “hand-in-hand” with companies as they start the certification process and encounter contracts with the new requirements.

U.S. allies are also being brought into the discussions, Arrington said. The United Kingdom, Sweden, Canada and others will be incorporated into the model to continue partnerships on defense technologies, Arrington said.