Department of Defense Contractors should be DFARS 252.204-7012 (“DFARS-7012”) compliant, already. But, while implementing 100% NIST SP 800-171 (“NIST-171”) security controls didn’t have a specific deadline, Contractors are strongly advised to complete that work. It is the best way to ensure continued ability to win future work from the DoD. In addition to DFARS-7012 and NIST-171, DoD contractors will be required to meet certain Cybersecurity Maturity Model Certification levels between 1 and 5. The exact level is contract specific and will be called out in RFP Sections L & M. The current expected date for RFPs to include the CMMC is September 2020.
Click Read More to get the latest details as of July 26, 2019.
If you are just now seeking information about the Cybersecurity Maturity Model Certification, click this link to our FAQ. It contains all the officially publicly stated information provided by the Government office driving this new standard.
The below information has been pulled from public news articles. Some of the information may not be accurately reported. Please use this information for high level planning purposes only, and check back periodically for updates on the CMMC requirements.
- CMMC compliance will be required for all DoD contracts AND all tiers of contractors – All companies in the DoD supply chain, including the second, third, and fourth subcontracting tiers and beyond, must be CMMC certified before they can be used in the performance of work under a DoD contract. What’s more, prime contractors will be responsible for collecting these certifications.
- Real-time, “holistic” scoring of a contractor’s cybersecurity compliance– In addition to the ongoing CMMC certification process, DoD contractors will also receive real-time, remote scoring of their cybersecurity measures during contract performance, similar to a person’s credit rating. A CMMC certification “gets the contractor in the door,” but DoD is also concerned with a contractor’s ability to maintain CMMC security standards during contract performance. DoD views real-time monitoring as a tool to assist certified contractors in fixing system vulnerabilities. Ms. Arrington suggested that there were tools already in place to conduct the real-time monitoring and scoring, but did not provide details as to how it can be accomplished.
- No change to the DFARS – At this time, DoD does not anticipate revising the DFARS, including DFARS 252.204-7012, to address the CMMC program. However, a revision will be made in the future. The CMMC standard applicable to a particular acquisition will be reflected in RFP Sections L and M. There was no discussion of any of the pending revisions to the NIST Special Publications or the long-gestating FAR Case addressing broader and/or more enhanced cybersecurity requirements.
- A more defined time line for CMMC implementation – DoD is targeting June 2020 and September 2020 to begin incorporating CMMC requirements into RFIs and RFPs, respectively.
- CUI and CDI will be redefined – The National Archives and Records Administration is currently revising the definitions of Controlled Unclassified Information (CUI) and Covered Defense Information (CDI). Revising the scope of CUI/CDI will likely impact the cybersecurity requirements (g., CMMC levels) for protecting such data.
- CMMC compliance certification expiration – The length of time a CMMC certification will last is still up for debate. However, Ms. Arrington stated that she prefers a “biannual” certification requirement, although a more frequent certification requirement is not off the table.
- Revising DODI 5000.2 – DoD will be revising the “Cybersecurity in the Defense Acquisition System” section of DoD Instruction 5000.2, “Operation of the Defense Acquisition System” acquisition manual, and will issue the revised section as a separate instruction. The revision draft is due in October 2019, and a final version is anticipated in January 2020.