Just as the coronavirus pandemic was getting underway in January, the Department of Defense (DoD) launched an ambitious cybersecurity certification and compliance process called the Cybersecurity Maturity Model Certification (CMMC). This framework has five certification levels of maturity that are designed to ensure that the Pentagon’s 300,000 contractors can adequately protect sensitive information.
The CMMC embraces existing well-known federal cybersecurity frameworks including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, and AIA NAS9933, as well as compliance procedures from the Federal Information Security Management Act (FISMA). One of the most significant changes for DoD contractors under the CMMC is the need to undergo external security audits.
“There were some simple things that our communities weren’t doing and we needed to find a way to make them repeatable, accountable and to provide metrics and make them auditable,” Katie Arrington, CISO for acquisition and sustainment, DoD, said at the 10th Annual Billington Cybersecurity Summit, which was held virtually this year. “So, we created this model with collaboration with industry and academia.”
The CMMC “is one piece of a massive cultural reform that’s been going in the department since 2018,” Arrington said, pointing to something called the Adaptive Acquisition Framework, a set of policies designed to introduce innovation into what has long been the sluggish thicket of the federal acquisition process. “It’s refreshing to see that acquisition is now understanding the new emerging capabilities and how we need to move through those.”