DoD Begins Implementation of CMMC

The Department of Defense began the implementation of the Cybersecurity Maturity Model Certification Tuesday, requiring all defense contractors to ensure that their cybersecurity competency is up to snuff moving forward. 

Katie Arrington, chief information security officer of defense for acquisition and sustainment and a 2020 Wash100 winner, considers the start of the CMMC as a big cultural shift as the program now makes cybersecurity a foundation to DoD procurement. 

Speaking at the virtual AFCEA TechNet conference, Arrington said the DoD is taking on a “crawl, walk, run” approach to implementing CMMC to ensure that defense contractors are able to keep up with the new program, Breaking Defense reported Tuesday.

The “crawl” and “walk” aspects are a precursor to the CMMC process. They signify two controls put in place to gauge a company’s cybersecurity level.

First, companies must log in to the DoD’s Supplier Performance Risk System and rate themselves between 0 and 110, depending on how they implement a National Institute of Standards and Technology requirement centered on Controlled Unclassified Information.  

According to the CMMC’s proponent, the Office of the Undersecretary of Defense for Acquisition and Sustainment, increased protection of CUI across the defense industrial base is necessary to prevent loss of sensitive data, which are critical to national security.

The second control places companies that reported a self-assessment score between 80 and 110 under audit by the Defense Contracting and Management Agency to validate their cybersecurity posture. 

The two controls are followed by the “run” aspect, which represents the instantiation of how the DoD intends to ensure that cybersecurity standards are met in its procurement. It is important to note, however, that micro-purchases under $10K and commercial-off-the-shelf products are exempt from CMMC regulations.