In another move to strengthen the cybersecurity defenses of the The U.S. Department of Defense (DoD) from foreign and domestic cyber threats, the U.S. Government is unveiling a new cybersecurity certification model for companies who supply products and services within the U.S. defense supply chain. The model, known as the Cybersecurity Maturity Model Certification (CMMC), will require all DoD contractors to become “certified” by meeting certain CMMC cybersecurity requirements.
This is nothing new for DoD contractors, as they are now well aware of the cybersecurity mandates that have been sweeping across the defense industry over the last several years. Since the U.S. Government signed the Defense Acquisition Federal Regulation Supplement (DFARS) into law, over 300,000 private DoD contractors have been tasked with implementing the required NIST SP 800-171 cybersecurity framework into their computer systems to become compliant with the law.
Initially, the DoD had entrusted private contractors to implement cybersecurity on good faith. The DoD even incentivised the practice by viewing cybersecurity as a “competitive advantage” for contractors competing to win contracts. Even still, the DoD has found it challenging to achieve 100% adoption across the entire supply chain. Due to these challenges, the DoD has built upon existing DFARS law and developed the CMMC as a “verification component” to ensure contractors have indeed implemented the cybersecurity framework into their systems.
The DoD will be utilizing approved third-party auditors to audit DoD contractor computer systems and award certifications based on their findings. In order to prepare for the audits, DoD contractors have the option to implement the cybersecurity requirements themselves, or consult with cybersecurity service providers who are familiar with the CMMC model and offer assessment services.
One of the biggest challenges contractors have faced in the implementation of cybersecurity plans has been the costs associated with them. That is why many contractors will be delighted to know that the DoD has announced that the costs to become certified are an “allowable cost,” meaning the DoD will reimburse contractors as part of the awarded contract.