The United States Department of Defense (DoD) supply chain is one of the most critical to both national security as well as the protection of individuals in the armed forces. Regardless of where contractors sit in the defense industrial base (DIB), security is critical to avoid intellectual property theft or worse sabotage from bad actors.
With the rise of digital technologies that many contractors have embraced to increase efficiency and enable business growth has come new threat surfaces. The Defense Federal Acquisition Regulation Supplement (DFARS) clause that went into effect in 2018 was the DoD’s first stake in the ground, indicating that members of the defense industrial base (DIB)’s information systems must be held to a standard of security to protect the nation. The self-certification process though proved too unwieldy to track and verify. The DFARS clause used the controls from the National Institute of Standards and Technology’s Special Publication 800-171: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations.
Recognizing that there needed to be more structure than the self-certification of compliance with NIST SP 800-171, the Department of Defense began developing what would become the Cybersecurity Maturity Model Certification (CMMC).
The CMMC is an amalgam of multiple frameworks and standards including NIST SP 800-171, the NIST Cybersecurity Framework, ISO 27001, and others. Developed by the DoD in conjunction with academia (Carnegie Mellon and Johns Hopkins Universities), the CMMC leverages a combination of practices (what most CSPs will recognize as controls) and processes that gauge the maturity level of a given practice. Recognizing that not all contractors need to have the same cybersecurity program maturity as a prime, the DoD will include which of the five maturity tiers a given contract will require at the time of a request for information (RFI). A contractor’s tier score will be assessed and audited via third-party CMMC assessments and auditors. These third-party assessment organizations will be appointed by the CMMC Accreditation Board and the CMMC certification for a given tier will last for three years.