DOD to Require Cybersecurity Certification in Some Contract Bids.
By the end of September, the Defense Department will require at least some companies bidding on defense contracts to certify that they meet at least a basic level of cybersecurity standards when responding to a request for proposals.
DOD released its new Cybersecurity Maturity Model Certification (CMMC) billed by the undersecretary of defense for acquisition and sustainment as "Version 1.0.".
By June,2020 the department plans to publish as many as 10 requests for information on contracts that include CMMC requirements, Ellen M. Lord said during a Pentagon news conference announcing the certification effort. By September, she said, the department will also publish corresponding requests for proposals that include those requirements. All new DOD contracts will contain the CMMC requirements, Lord said.
Strategic Direction for Cybersecurity Maturity Model Certification (CMMC) Program
On Nov,4 2021 release update to “CMMC 2.0” Program Release note:
Today, the Department of Defense announced the strategic direction of the Cybersecurity Maturity Model Certification (CMMC) program, marking the completion of an internal program assessment led by senior leaders across the Department.
The enhanced “CMMC 2.0” program maintains the program’s original goal of safeguarding sensitive information, while:
Simplifying the CMMC standard and providing additional clarity on cybersecurity regulatory, policy, and contracting requirements. Focusing the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs; and Increasing Department oversight of professional and ethical standards in the assessment ecosystem.
Together, these enhancements:
Ensure accountability for companies to implement cybersecurity standards while minimizing barriers to compliance with DoD requirements.
Instill a collaborative culture of cybersecurity and cyber resilience; and Enhance public trust in the CMMC ecosystem, while increasing overall ease of execution.
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” said Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
The CMMC program includes cyber protection standards for companies in the defense industrial base (DIB). By incorporating cybersecurity standards into acquisition programs, CMMC provides the Department assurance that contractors and subcontractors are meeting DoD’s cybersecurity requirements.
The DIB is the target of increasingly frequent and complex cyberattacks by adversaries and non-state actors. Dynamically enhancing DIB cybersecurity to meet these evolving threats, and safeguarding the information that supports and enables our warfighters, is a top priority for the Department. CMMC is a key component of the Department’s expansive DIB cybersecurity effort.
The internal assessment of CMMC was co-chaired by: Mieke Eoyang, Deputy Assistant Secretary of Defense for Cyber Policy; David Frederick, Executive Director of U.S. Cyber Command; David McKeown, Deputy Chief Information Officer for Cybersecurity; and Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy; and included senior leaders from 18 components across the Department.
For more on the changes, visithttps://dodcio.defense.gov/CMMC/.
Five Steps to Make Your Company More Secure
- Educate people on cyber threats.
Most cyber incidents start because of user error. Educate people about the importance of setting strong passwords, recognizing malicious links, and installing the latest security patches. Helpful materials and training videos are available through Project Spectrum.
- Implement access controls.
Limit information systems access to authorized users and the specific actions that they need to perform.
- Authenticate users.
Use multi-factor authentication tools to verify the identities of users, processes, and devices.
- Monitor your physical space.
Escort visitors and monitor visitor activity, maintain audit logs, and manage physical devices like USB keys.
- Update security protections
Make sure to download the latest security patches when new releases are available. Always double check to make sure they are coming from a trusted source.
Plan of Actions and Milestones (POA&MS)
With the implementation of CMMC 2.0, the Department intends to allow companies to receive contract awards with a limited time Plan of Actions and Milestones (POA&M) in place to complete CMMC requirements. The Department’s intent is to specify a baseline number of requirements that must be achieved prior to contract award, to allow a remaining subset to be addressed in a POA&M within a clearly defined timeline. The Department also intends to specify a small subset of requirements that cannot be on a POA&M in support of achieving a CMMC certification.
Under CMMC 2.0, the Department intends to allow a limited waiver process to exclude CMMC requirements from acquisitions for select mission-critical requirements. DoD policies for Program Managers seeking CMMC waivers will require senior DoD leadership approval and will limit waiver duration.
Key Changes Incorporated Under the CMMC 2.0 Framework
- Plan of Actions and Milestones (POA&Ms)
No allowance for POA&Ms
- Waivers - No allowance for waivers
- Allows the use of POA&Ms.
- Highest weighted requirements cannot be on POA&M list.
- DoD will establish a minimum score requirement to support certification with POA&Ms.
- Applied to entire CMMC requirement, not individual cybersecurity practices.
- Allowed on a very limited basis in select mission critical instances, upon senior leadership approval.
- DoD program office submits a justification package that includes specified timeline and associated risk mitigation plan.
- Timelines imposed on a case-by-case basis to achieve CMMC compliance