Insert ARRISS Headline here
CMMC: What we know and why it matters
Culminates a year-long process notable for collaboration between DOD and industry. It is a good beginning but it is only a beginning.
Friday, Jan. 31, the Defense Department released Version 1.0 of its standard for the Cybersecurity Maturity Model Certification program, known as CMMC.
Publishing the standard culminates a year-long process. It is a good beginning, for two reasons.
What does CMMC mean for industry?
Let’s look at what we know. The DoD standard is now set. It goes beyond current acquisition regulations, which require compliance with standards from the National Institute of Standards and Technology.
We know that companies have yet to assess their systems and processes against the new CMMC standard. PSC is advising our member companies to begin their own internal assessment of how well they meet the CMMC Version 1.0 standard. Firms should start now; there is no need to wait.
How will a company become CMMC certified?
CMMC certificates will be issued for all or part of a company at one of five different levels, on a pass-fail basis. Assessments will certify for the CMMC level against which they were assessed.
DoD owns the standards against which firms will be assessed, but it does not own the assessment or certification process. How will this process work?
How soon will this start?
We know that DoD plans 10 pilots, or "pathfinder" programs, over the next few months to test processes. This phased implementation plan is likely to produce some improvements that DoD can incorporate as the process expands.
What happens next?
There are many additional questions to which we do not yet know the answers, and others of which we have not yet even thought, including:
What is the capacity and capability for assessing companies and issuing certificates, including who goes first? How fast can that capacity expand?
How will companies know which assessors are accredited and eligible to assess and certify them? Advertisements are already popping up from firms that claim to be able to help get and keep certificates.
What training is needed for DoD program and contracting personnel? When will the training begin? How long will it take?
What is the timing and coverage of the new DoD acquisition regulation?
How will DoD incorporate CMMC requirements into RFIs, RFPs, and contracts?