DoD CMMC Certification Process

The Department of Defense (“DoD”) is pressing forward with its plans to create a cybersecurity maturity program that will apply to all government contractors in the Defense Industrial Base (“DIB”). As we have previously reported, draft Version 0.6 of the Cybersecurity Maturity Model Certification was released a few weeks ago. You can read our analysis of Version 0.6 here. Version 0.7, which is due in December, is slated to address maturity levels 4 and 5, and we will provide updates on that version shortly after it is released.

Although the DoD is creating the initial version of the CMMC, including the maturity scale itself as well as training and other materials, the DoD wants a nonprofit accreditation body to take over the maintenance of the CMMC. The nonprofit will also be responsible for creating a credentialing process for the C3PAOs (certified 3rd party assessment organizations) that will provide the actual CMMC certification to a government contractors, as well as training materials for those C3PAOs. In a November 26 response to industry inquiries, the DoD indicated that it will not have the initial training guides (for CMMC Levels 1-3) available to the C3PAO until at least early February, and that training for Levels 4 and 5 may not be available until March. This means that the 3PAOs will not be able to even begin the certification process until at least late February, and there will inherently be only a limited number of people who are certified in CMMC audits at each C3PAO.

The DoD also indicated that it has received inquiries from several other government agencies and outside groups who are interested in CMMC and the overall process. We expect to see adoption of the CMMC expand to other industries and in other contexts, such as by insurance companies when assessing overall cybersecurity maturity and associated risk and insurance rates.

Finally, the DoD stressed that although written security plans and Plans of Actions and Milestones (“POAMs” or “POA&Ms”) are acceptable under DFARS 252.204-7012, DIB contractors have not done a good job in executing their POAMs. Thus, the CMMC will not give credit for plans; instead, only the current state will count toward the contractor’s CMMC level.

We strongly encourage all organizations, and especially DIB contractors, to engage an independent consultant to conduct a maturity assessment as soon as possible. The C3PAOs will have a large backlog of organizations (over 300,000!) to go through in only a few short months to meet the DoD’s September 2020 deadline, and the C3PAOs are likely to prioritize certifying those organizations that have already taken steps to assess their maturity and to address any shortcomings.

Contact Fathom Cyber today to discuss how your organization will benefit from a maturity assessment.