According to Mr. Kevin Fehey, Assistant Secretary for Defense Acquisition, Office of Undersecretary of Defense for Acquisition and Sustainment, in calendar year 2020 the Department of Defense will begin requiring all defense contractors to be certified to a Cybersecurity Maturity Model. The certification program will be identified as the CMMC.
The DoD will begin certifying cybersecurity levels for defense contractors in 2020. The program will be launched in January 2020. By September 2020, all DoD RFPs will include a cybersecurity certification level requirement in order to bid.
Ms. Katie Arrington reports to Mr. Fehey and is creating the program and leading the implementation. Her presentation is attached for your review here (opens new window). Katie will be leading a series of meetings across the country this summer, and dates and times will be announced soon. The list of cities is in the aforementioned presentation. The updated DoD 5000 acquisitions document will be released in July 2019 with sections L & M significantly updated to define cybersecurity items. DoD officials pointed out emphatically that cybersecurity costs will be an “allowable cost.”
DoD officials have outlined the basics of the new cyber certification program as follows:
- The Model is currently under contract for development by the Carnegie Mellon Software Engineering Institute and the Johns Hopkins Applied Physics Laboratory.
- The Model will identify five levels of data security based on NIST SP 800-171 and other guidance.
- Contractors will need to be certified according to the five proposed levels of the Model. Contractors can implement the appropriate security based on the data they handle.
- The DoD will develop an automated tool to assist in gathering data and simplify reporting requirements.
- The certifications will be conducted by an independent, non-profit organization which will select accredited third-party auditors. This organization has not been named at this time.
- Cybersecurity expenses will become an allowable cost in DoD contracts.
Any Virginia company that is either a prime or subcontractor firm will need to attain a CMMC rating. Business leaders who plan to continue working with DoD in the future will need to comply with the existing DFARS 7012 regulation, and the NIST SP 800-171 cybersecurity specification document. Compliance will require on-going preparation and documentation, and GENEDGE has an established program to help smaller companies meet the requirements.
By Roy Luebke, Engagement Manager, GENEDGE