The Defense Industrial Base (DIB) is vulnerable to the theft of intellectual property and sensitive military and defense information due to exfiltration. The 2018 Department of Defense (DoD) National Defense Strategy acknowledges cyberspace as a warfighting domain. As the DoD’s supply chain and reliance on defense contractors has continued to expand, so has the realization that the Defense Industrial Base (DIB) is the soft underbelly of the Department’s cybersecurity posture.
In late January 2020, DoD released the Cybersecurity Maturity Model Certification (CMMC) as a unified cybersecurity standard for future DoD acquisitions. The CMMC shares the goal of the CDI DFARS clause to reduce the exfiltration of controlled unclassified information (CUI) from the DIB and protect data on DIB partner networks and is based largely on the set of security controls in NIST SP 800-171. CMMC adds the requirement for DIB companies to be assessed and certified by an approved 3rd party auditor. The intent is for this certification step to be a forcing function to promote and enhance the cybersecurity posture of the DIB by requiring contractors to demonstrate that they meet the required security controls, and to give the government better visibility and awareness of the DIB’s cybersecurity posture. CMMC will be a mandatory requirement for all companies doing business with the DoD. Certification is required for both prime and subcontractors. DoD will begin including the CMMC clause out in new Requests for Information (RFIs) starting in June of 2020, and in Requests for Proposal (RFPs) in the fall of 2020.
CMMC measures and assesses maturity of both processes and practices of security controls across 17 capability domains and 43 capability areas and pulls most of its requirements from existing controls in FAR Clause 52.204-21 and NIST SP 800-171. CMMC is not a one-size-fits-all model; the framework has five (5) levels of maturity from basic safeguarding to protection against Advanced Persistent Threats (APT). This is intended to ensure CMMC requirements are not overly burdensome on small to mid-size businesses that may not have the resources to implement more advanced cybersecurity protection measures. Future solicitations will define the required level of maturity based on the sensitivity of information and the level of safeguarding required.