Georgia Tech Procurement Assistance Center

  • Home
  • About Us
  • Training
    • Class Registration
    • On-demand Training
    • GTPAC COVID-19 Resource Page
    • Cybersecurity
    • Veterans Verification Video
    • GTPAC Community
    • Other Training Audio & Video
  • Useful Links
  • Team Directory
    • Albany Counselor
    • Atlanta Counselors
    • Augusta Counselor
    • Carrollton Counselor
    • Columbus Counselor
    • Gainesville Counselor
    • Savannah Counselor
    • Warner Robins Counselor
  • Directions
    • Atlanta – Training Facility
    • Atlanta – Office
    • Albany
    • Augusta
    • Carrollton
    • Columbus
    • Gainesville
    • Savannah
    • Warner Robins
  • COVID-19
  • New Client Application
  • Contact Us

2020 and the Department of Defense’s Cybersecurity Maturity Model Certification Program

January 10, 2020 By Andrew Smith

2019 has been a year of pivotal developments for defense contractors in the realm of cybersecurity compliance.  The Department of Defense (DoD) issued six guidance memoranda to assist its acquisition personnel in developing “effective cybersecurity strategies to enhance existing protection requirements,” including a mandate for the Defense Contract Management Agency to include cybersecurity compliance as a part of a contractor’s purchasing system audit and approval.  2019 also saw the first False Claims Act whistleblower litigation related to contractors’ compliance with DoD cybersecurity contracting provisions.

Beyond merely focusing on enforcement of existing compliance obligations, the DoD upped the ante in June 2019 with its announcement of its forthcoming Cybersecurity Maturity Model Certification (CMMC).  CMMC is the next step in the DoD’s efforts to protect the government’s sensitive, unclassified information against data exfiltration, and once it goes into effect CMMC will be a mandatory, third-party certification for all DoD contractors and subcontractors.

While there remain many unanswered questions surrounding the details and implementation of CMMC, the DoD has made clear that CMMC is coming and the defense contracting community must be ready to implement these requirements in order to continue receiving defense contracts, subcontracts and other DoD-funded agreements.

What Will CMMC Require?

As currently drafted, CMMC will require all defense contractors and subcontractors to undergo a third party assessment of their internal cybersecurity technical practices and process maturity against published standards.  This assessment will result in certification at one of five levels – 1 being the lowest and 5 the highest – or no certification.  Each subsequent level is cumulative, meaning a company must meet the requirements of all lower levels to qualify for a higher level of certification.  In addition, an organization must satisfy both the defined practices and process maturity criteria within a given level across all areas of the model to achieve certification at that level (e.g., having a Level 3 assessment on technical practices and Level 2 on process maturity results in an overall Level 2 certification).

The DoD expects contractor CMMC assessments to begin in early June 2020.  CMMC requirements will start appearing in DoD Requests for Information around this same time, and they become mandatory in all DoD solicitations beginning fall 2020.  Once implemented, each DoD solicitation will identify the minimum required CMMC level a company must have to be eligible for that contract award.

On December 6, 2019, the DoD released Version 0.7 of the draft CMMC framework.  This update refines the technical practice requirements for Levels 1-5 and provides further guidance regarding process maturity expectations.  Level 1 identifies 17 basic requirements, mostly consistent with existing general government contractor cybersecurity requirements, while Level 3 aligns with full NIST SP 800-171 Rev 1 compliance.  Levels 4 and 5 require “proactive” and “progressive” cybersecurity programs, respectively, and impose additional practices derived from Draft NIST SP 800-171B and other heightened cyber standards.  These top two levels are expected to be reserved for companies handling information related to critical technologies.

The CMMC model will not be static, however: it will be adapted and revised whenever and however needed as the DoD identifies new threat vectors.  While a company’s certification is generally expected to last for  three years, including interim spot checks, model revisions could necessitate earlier reassessment.

Continue reading at:  National Law Review

Filed Under: Contracting Tips Tagged With: CMMC, cybersecurity, Cybersecurity Maturity Model Certification, DoD

Recent Posts

  • Georgia Tech creates new Office of Corporate Engagement
  • Federal contractor indicted for stealing over $1.2 million from the U.S. Postal Service
  • SBA hosting “Contract Bonds and Surety Bond Guarantee” webinar April 20th
  • GSA hosting “Getting on the GSA Schedule” webinar April 13th
  • NIH hosting 2021 small business program conference April 26-30th

Popular Topics

8(a) abuse Army bid protest budget budget cuts certification construction contract awards contracting opportunities cybersecurity DoD DOJ False Claims Act FAR federal contracting federal contracts fraud GAO Georgia Tech government contracting government contract training government trends GSA GSA Schedule GTPAC HUBZone innovation IT Justice Dept. marketing NDAA OMB SBA SDVOSB set-aside small business small business goals spending subcontracting technology VA veteran owned business VOSB wosb

Contracting News

Federal contractor indicted for stealing over $1.2 million from the U.S. Postal Service

CMMC announces new advisory council to collect industry feedback

EEOC announces April 26 opening date for the collection of 2019 and 2020 EEO-1 component 1 data

Contractors line up to rebuild MARTA’s Five Points Station

GDOT announces $828.8 million in projects to transform Ga. 316

Read More

Contracting Tips

A whole new marketplace: GSA’s “commercial platforms” initiative

CRS Reports: Mentor-Protégé programs and small business size standards

CRS Report: Small businesses and COVID-19, relief and assistance resources

How do I find out what the government is buying?

Past performance isn’t always a required evaluation factor, says GAO

Read More

GTPAC News

SBA hosting “Contract Bonds and Surety Bond Guarantee” webinar April 20th

GSA hosting “Getting on the GSA Schedule” webinar April 13th

NIH hosting 2021 small business program conference April 26-30th

Defense Counterintelligence and Security Agency hosting industry day and matchmaking May 6th and 20th

Missile Defense Agency hosting virtual conference May 11-13th

Read More

Georgia Tech News

Georgia Tech creates new Office of Corporate Engagement

Delta Jacket wins 2021 Georgia Tech InVenture prize

Future of 5G is under the microscope at Georgia incubator

Collective worm and robot “blobs” protect individuals, swarm together

The Partnership for Inclusive Innovation is now accepting applications for pilot programs

Read More

  • SAM.gov registration is free, and help with SAM is free, too
APTAC RSS Twitter GTPAC - 30th Year of Service

Copyright © 2021 · Georgia Tech - Enterprise Innovation Institute