The Pentagon issued the final standards under the Cybersecurity Maturity Model Certification (CMMC) on Friday.
The model, consisting of five levels of security standards, will be phased into requests for information starting this summer. The vast majority of contractors that work with unclassified information will need to meet only level one of the framework — the least secure but least costly level on the scale. From there, the more sensitive the information contractors handle, the higher the level of certification they will need to receive under CMMC, up to level five. All levels will be certified by independent assessors who will conduct in-person checks.
“Today represents an import milestone but we still have a lot of work to do,” Undersecretary for Acquisition and Sustainment Ellen Lord said at a press conference.
The model was born out of a realization that “checklist” security and self-assessment, the current standard set out by National Institute of Standards and Technology rule 800, was failing. Hacks of defense contractors have leaked national security secrets up and down the supply chain. Contractor cybersecurity was seen as a weak link by adversaries and routinely exploited.
“CMMC is a really admirable and progressive attempt,” said Simone Petrella, CEO of CyberVista, a cybersecurity workforce development company. “It is something that really could be transformative and powerful.”
The official release of the standard means contractors will now need to pay a CMMC-certified assessor to physically inspect their operations to ensure they comply with one of the five levels. In the future, once CMMC begins appearing in RFIs and actual solicitations, if a contractor doesn’t meet the contract’s requisite level under the framework, they won’t be able to bid for the work.
While Petrella praised the general model for moving away from self-attested security, she flagged potential problems in how accessors get trained and actually certify contractors.
One hurdle is the size of the industrial base. Thousands of contractors in a complex supply chain will need to be physically assessed to meet security standards that may be new to companies that have not prioritized cyber hygiene in the past. Exacerbating that issue is the shortage of trained cybersecurity workers with the knowledge needed to asses advanced security standards.
At a press briefing Friday morning, Lord acknowledged the burden that could fall on small- and mid-sized businesses.
“We need small and medium businesses in our defense industrial base and we need to retain them,” Lord said.
The CMMC assessors that will physically inspect contractors will be trained and overseen by a nonprofit board comprised of industry and academic partners. The board incorporated in November and as of this week had few answers as to how it will get the assessment workforce ready.
Lord stressed the department will take a “crawl, walk, run” approach to implementing the rules.
Arrington has been working publicize CMMC with a national listening tour. But a recent survey found only a quarter of surveyed defense contractors could identify what the acronym stood for. A potential lack of understanding in the industrial base could spell trouble for the process as it tries to get off the ground.