CMMC establishes cybersecurity as a foundation for future DoD acquisitions
LEVEL 5
CMMC levels align with the following focus: Level 1: Basic safeguarding of FCI
Level 2: Transition step to protect CUI
Level 3: Protecting CUI
Levels 4-5: Protecting CUI and reducing risk of APTs
LEVEL 1
Source: Defense Department
bring in companies that aren’t familiar with defense work,” Lord said. “We just created early this year what we call a placemat,” with step-by-step instructions for companies to get the help they need.
She added that step one is calling DOD’s industrial policy team, which can connect them to CMMC experts at DOD. The department’s Office of Small Busi- ness Programs can also help. Another option is connecting with industry orga- nizations such as the National Defense Industrial Association and the Profes- sional Services Council.
LEVEL 4
OPTIMIZING ADVANCED/PROGRESSIVE
LEVEL 2
DOCUMENTED
INTERMEDIATE CYBER HYGIENE
LEVEL 3
REVIEWED PROACTIVE
PERFORMED BASIC CYBER HYGIENE
Basic Safeguarding of FCI
Transition Step to Protect CUI
MANAGED GOOD CYBER HYGIENE
Increasing protection
of CUI
Reducing risks of APTs
Lord said prime contractors are already considering ways to ensure their partners are compliant but did not offer any specifics. Kevin Fahey, assistant sec- retary of Defense for acquisition, told reporters that prime contractors could have subcontractors work within their infrastructure to ensure cybersecurity compliance.
The role of the Accreditation Body
The standards in CMMC aren’t new — it borrows freely from the National Institute of Standards and Technology’s
Cybersecurity Framework, among oth- ers — but its success relies on the new CMMC Accreditation Body and how it shapes the training for the CMMC Third-Party Assessment Organizations (C3PAOs) that will be charged with cer- tifying contractors. Lord said assessors have not yet been selected, and no com- pany has been designated as qualified.
Simone Petrella, CEO of workforce development company CyberVista, told FCW that her top concern was the crite- ria the C3PAOs would be using “because the effectiveness of having a maturity level assigned to you is only going to be as good as the assessor who’s coming in and conducting that audit.”
Ty Schieber, senior director of execu- tive education at the University of Vir- ginia’s Darden School Foundation, has been chosen to lead the 13-member Accreditation Body, which was slated to deliver a draft of “CMMC 101” train- ing in February.
“We’ve been doing that the entire process, so we have a pretty good understanding of how long it takes to go forth with a certification.”
Katie Arrington, Defense Department
January/February 2020 FCW.COM 33