By
The Cybersecurity Maturity Model Certification (CMMC) is the newest Department of Defense (DoD) verification mechanism. It’s designed to ensure that cybersecurity controls and processes adequately protect controlled unclassified information, also known as CUI, that resides on defense industrial base systems and networks.
Version 1.0 of the CMMC was launched on Jan. 31, 2020. CMMC maps cybersecurity best practices and processes to five maturity levels, ranging from basic cyber hygiene at level 1 to advanced and progressive cyber hygiene at level 5.
The ultimate goal of CMMC is to implement an appropriate level of cybersecurity across the defense industrial base supply chain. The DoD estimates the rollout of CMMC will affect more than 300,000 companies. Most companies will be required to have a certification between level 1 and level 3 to qualify for government contracts.
Slow and measured rollout for CMMC planned
Rolling out the requirements will be a slow and measured process. DoD handpicked the first 10 requests for information, or RFIs, that will include minimum CMMC certification requirements. These requests for information were scheduled to be submitted at the end of July or early August.
Requests for proposals (RFPs) will follow later this year. DoD expects to award the first contract in early 2021. The current plan is to have CMMC requirements in all new requests for information by 2026.
CMMC preserves five-year contract timeline
DoD will not modify existing contracts to insert CMMC requirements, outside of extenuating circumstances. Thus, the five-year timeline provides for the general five-year contract cycle of one base year plus four option years.
About the author
Brenda Bissell is a senior manager of accreditation at ANAB.
This article first appeared on the ANAB blog and is published here with permission.