The Defense Department in late January released its highly anticipated new set of cybersecurity standards that companies must eventually adhere to if they want to do business with the Pentagon. But important issues have yet to be resolved, including how much it will cost contractors to comply.
Cybersecurity Maturity Model Certification version 1.0, or CMMC, is an effort to prod the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China.
The lower tier of the supply chain is of particular concern.
"Adversaries know that in today's great power competition environment, information and technology are both key cornerstones [of national security], and attacking a sub-tier supplier is far more appealing than a prime," Undersecretary of Defense for Acquisition and Sustainment Ellen Lord told reporters at the Pentagon during a briefing about the new model. "We know that the adversary looks at our most vulnerable link, which is usually six, seven, eight levels down."
CMMC combines multiple cybersecurity frameworks, including NIST Special Publication 800-171, into one unified set of benchmarks. The specific standards that must be met will depend on the program and specific work that a company will be doing, said Katie Arrington, chief information security officer in the acquisition and sustainment office. "Cybersecurity is not one-size-fits all."
The level 1 standards will be the least demanding and level 5 the most burdensome.
Level 1 will be focused on "basic cyber hygiene" practices such as using antivirus software and regularly changing passwords. Level 2 will require "intermethate cyber hygiene" and serve as a stepping stone to level 3, where the bar will be much higher.
"It's a big move from level 1 to level 3," Arrington said. "You're moving from 17 to over 110 controls."
Corbin Evans, director of regulatory policy at the National Defense Industrial Association, said level 3 is what the Pentagon expects a plurality of the defense industrial base to achieve. NDIA was in close communication with the department and provided feedback on CMMC drafts that were circulated prior to the release of version 1.0.
Standards for levels 4 and 5 are even more stringent and will be imposed on "very critical technology companies" working with the most sensitive information, Arrington noted.
Third-party assessors, known as C3PAOs, will be trained and approved by a new accreditation body. They will have to certify that a company has met the CMMC standards before it can win contracts.
The new model will be phased in over the next...