5 Things you Need to Know About the New Cybersecurity Maturity Model Certification (CMMC)

New Cybersecurity Model coming in 2020 will impact DOD contractors.

Recently, the Department of Defense, under the Office of the Assistant Secretary of Defense for Acquisition released a draft version of this new model, and is actively seeking public comments.  The vision associated with the model is to, “Be a unified cybersecurity standard for DoD acquisitions to reduce exfiltration of Controlled Unclassified Information from the Defense Industrial Base.”

  1. This model provides a certification track for the industrial base (defense contractors) that range from basic cyber hygiene to advanced, with a total of 5 levels
  2. The model will require businesses to obtain external / 3rd party audits
  3. Similar to the Capability Maturity Model Integration (which isn’t surprising as one of the authors is Carnegie Mellon), there are 18 domains which are primarily based on current best practices
    1. Each Domain is comprised of Capability “groupings”
    2. Each Capability has individual Practices and Processes
  4. Also very similar to the CMMI Model, each level describes the maturity of the organization
    1. Level 1 – Basic: Processes are performed
    2. Level 2 – Intermediate: Processes are documented
    3. Level 3 – Managed: Processes are managed
    4. Level 4 – Proactive: Processes are reviewed
    5. Level 5 – Advanced / Progressive: Processes are optimized
  5. In each domain there are nine standard processes and multiple unique processes

The 1.0 revision of the model is expected to be released in January 2020, and will be included in Requests for Information (RFIs) starting in June of 2020, and Requests for Proposal (RFPs) in Fall of 2020. You can read more about the model here.  If you are interested, you can provide feedback to the working group through this link.

Author: Joel D. Williams: Executive Vice President, Chief Growth Officer (CGO)