U.S. Department of Defense Announces New Cybersecurity Model for DoD Contractors

The U.S. Department of Defense (DoD) has announced that it will be rolling out a new cybersecurity certification model for private companies who hold contracts with the DoD. The model is called the Cybersecurity Maturity Model Certification (CMMC). The development of this model is an evolution in the DoD’s effort to protect the U.S. defense supply chain from foreign and domestic cybersecurity threats.

This should come as no surprise to DoD contractors, as the government has been pushing contractors to adopt cybersecurity best practices over the last several years. Since the U.S. government passed the Defense Acquisition Federal Regulation Supplement (DFARS), over 300,000 private DoD contractors and subcontractors have been rushing to understand the law and to implement the NIST SP 800-171 cybersecurity framework into their companies to become compliant.

Many large DoD contractors have had the resources to become compliant themselves, while others have outsourced their compliance challenges to cybersecurity companies who specialize in the NIST framework. Even still, there are many companies that have chosen to put off compliance. There have even been reported cases of DoD contractors falsely stating to be in compliance with contracts, but have later been found to be non-compliant.

Due to these challenges, the DoD has built upon existing DFARS law and developed the CMMC as a “verification component” to ensure contractors have indeed implemented the cybersecurity framework into their systems. All DoD contractors will now have to become certified to hold contracts with the DoD. Starting in January of 2020, the DoD will be conducting audits performed by approved third-party auditors. These auditors will be charged with awarding the certifications.

One of the hurdles for contractors implementing the cybersecurity framework are the costs associated with it. However, the DoD has also announced that the costs to prepare for certification are an “allowable cost,” meaning the DoD will reimburse the contractor as part of the awarded contract. This is welcome news for DoD contractors, and a great solution for the U.S. government’s challenge to protect all of the U.S. defense supply chains.