The Department of Defense (DoD) has announced a new five-tier standard for cybersecurity certification, which it calls the Cybersecurity Maturity Model Certification, or “CMMC”. Taking an unusual approach to informing the industry, the DoD has provided only limited information about the new standard through its website and a “road tour” led by the newly-appointed head of the DoD’s Chief Information Security Office (CISO), Ms. Katie Arrington.
During her recent presentation at the National Institute of Standards and Technology’s (NIST’s) Information Security and Privacy Advisory Board (ISPAB) meeting, on August 8, 2019, Ms. Arrington revealed several new details about the requirements. Outlined below are the most significant facts from that presentation and the DoD’s website:
All companies doing business with DoD (and all tiers of subcontractors) will need to obtain CMMC certifications.
DoD will require the new certifications from all contractors (including suppliers and subcontractors) that are performing under a DoD contract. Even contractors that do not process or handle Controlled Unclassified Information (CUI) must obtain CMMCs.