The Department of Defense released a draft version of its Cybersecurity Maturity Model Certification (CMMC), dated August 30, offering a glimpse into how the department plans to apply cybersecurity requirements to its contractors in the near future.
The model aims to assess contractors based on their cybersecurity maturity and simplify the various processes across DoD’s components. The draft is open for comments until September 22, and DoD plans to finalize the model by January 2020, and use the classification in all requests for information by June 2020.
The draft model establishes five levels of maturity, with 18 different domains – containing various cyber capabilities – measured for maturity. In general, Level 1 represents little to no maturity; Level 2 denotes organizations with policies but little enforcement; Level 3 applies to organizations that review for conformance and provide resources; Level 4 is for organizations that use cyber information to inform high-level management and review for effectiveness; and Level 5 applies when organizations standardize documentation and share improvements across the enterprise.
The model was developed by experts from Carnegie Mellon University and the Johns Hopkins University Applied Physics Laboratory on behalf of DoD, and is not yet final.
Cybersecurity concerns within the Defense Industrial Base have become more prevalent as foreign adversaries use the supply chain to attack DoD’s networks and exfiltrate information. At a March Senate hearing, senators raised their concerns and suggested the development of a strong model to standardize and raise the base level of security. DoD announced the development of the CMMC model in June, touting it as a way to simplify the cyber vetting of contractors amid its various services.