The Department of Defense released last week its new Cybersecurity Maturity Model Certification (CMMC), which will require at least some companies bidding on defense contracts to certify that they are compliant with at least the basic level of cybersecurity standards to work on government contracts.
The CMMC is a certification procedure that ensures that contractors have the controls in place to protect sensitive data, including Federal contract information and Controlled Unclassified Information (CUI). The Department of Defense put these measures in place in furtherance of its focused effort on security and resiliency in the Defense Industrial Base (DIB) sector, which has been the target of malicious cyber actors seeking to steal, among other things, intellection property and other unclassified information. The goal of the CMMC is to provide assurance to the Department of Defense that a DIB contractor can protect CUI at a level commensurate with the risk. The Department of Defense has indicated that by fiscal year 2026, all new Department of Defense contracts will contain CMMC requirements. This includes all contractors who perform work for the Department of Defense–from sophisticated weapons makers to the landscaper mowing the lawn at the Pentagon.
The CMMC has five different levels. The first level relates to basic cyber hygiene skills that a company should utilize everyday (e.g., antivirus software, updating passwords, etc.). The focus here would be to protect Federal contract information. The second level goes a step further, with the Department of Defense focusing on the company’s cybersecurity practices, ensuring it is effectively documenting cybersecurity procedures. The Department of Defense has characterized the focus of level two as a “transition step in cybersecurity maturity progression to protect [CUI].” Level three requires that the cybersecurity measures be properly managed for purposes of protecting the CUI, with levels four and five requiring that such procedures be reviewed and optimized in order to “protect [CUI] and reduce risk of advanced persistent threats” (i.e., “adversaries that possess sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors.”).
The Department of Defense has indicated that a mix of CMMC levels will be required for certain government contracts. These levels will be assessed through requests for information and proposals that the Department of Defense is expected to publish later this year. The certifying of a potential defense contractor, however, will not necessarily be performed by the Department of Defense, who has indicated it will be using third-party assessment organizations to conduct those assessments. These third-party organizations will be trained and monitored by a newly created 13-member CMMC accreditation body.
Concerns have arisen over the burden the CMMC will have over small companies with government contracts who may not necessarily be equipped to meet the standards set forth in the CMMC. However, the Department of Defense has indicated there are resources that small organizations not familiar with defense contracts would be able to utilize in order to equip them, including the Department of Defense industry policy team, which could connect companies to CMMC experts. However, while the Department of Defense has indicated a desire to minimize the impact of the CMMC on small and medium businesses, it has stated it will only do so as long as there is no cost to national security.