The U.S. Department of Defense (DoD) recently published a new set of cybersecurity standards, known as the Cybersecurity Maturity Model Certification (CMMC) version 1.0. The new standards will require defense companies to adhere to a set of rules and mandates if they want to do business with the Pentagon procurement programs. According to DoD, any company that does business with the Pentagon will have to get some level of certification and their defense acquisition workforce will need to be trained on how to apply the model to their contracts.
CMCC’s Cybersecurity Levels
CMMC specifies five different cybersecurity levels ranging from basic cyber hygiene requirements to detailed lists of security controls. Level one will be the least rigorous and focuses on basic cyber hygiene. Second and third levels focus on intermediate cyber hygiene. Finally, the fourth and fifth will apply to technology companies that are working on critical programs.
CMMC is also intended to prepare the defense sector to protect its networks and unclassified information against cyberattacks by foreign adversaries.
Ellen Lord, the Under Secretary of Defense for acquisition and sustainment, said, “Obviously this is a complicated rollout for industry, and we’re being realistic in terms of making sure we have pathfinder projects that we’ll implement, and then learn, get the feedback and go on. This is a critical cornerstone of the department’s overall cybersecurity effort, and we believe we are doing this with what I would call irreversible momentum. We want to make sure that this works and that it is sustained.”
Lord also highlighted, “Adversaries know that in today’s great power competition environment, information and technology are both key cornerstones [of national security] and attacking a sub-tier supplier is far more appealing than a prime.”
Earlier, Lord released a “Do Not Buy” list of software from vendors whose code originates from Russia and China. He informed that the list was intended to assist the DoD acquisitions staff and partners to avoid buying problematic codes from unreliable sources.