Under Secretary of Defense Ellen Lord statement on misleading cybersecurity certification information
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) program is a new set of cybersecurity standards developed by the Department of Defense (DoD) to protect defense contractors from cyber attacks.
- Access CMMC 1.02
- CMMC 1.02 Appendices
- CMMC Model Briefing from DoD
How will CMMC work?
DoD will require CMMC certification prior to any company/business/contractor winning a DoD contract. DoD delivered CMMC 1.0 standards (later updated to version 1.02) to a new non-profit governing organization, the Accreditation Body (AB). The AB will certify third-party inspectors who will then certify companies/businesses/contractors against the different CMMC standards/levels. Third-party inspectors will provide companies’/businesses’/contractors’ certification levels to the AB for tracking and provision to the DoD. The AB will not make CMMC certification levels publicly available.
For more information on the AB, please visit their website: CMMCAB.org/
How will CMMC impact NDIA’s members?
The new CMMC program will require certification for all contractors doing business or who want to do business with DoD. This group of affected contractors includes companies indirectly doing business with DoD through subcontracts as well as companies that sell commercial products or services to DoD.
When will CMMC be rolled out?
DoD published the initial set of CMMC standards on January 31, 2020. Companies will have the ability to be certified in the coming months while CMMC language will start appearing in Requests for Proposals and Requests for Information as soon as the Summer of 2020. By 2026, all new DoD contracts will require an appropriate level of CMMC certification.
Who will decide the required CMMC level for each contract?
The DoD is currently developing a plan to educate acquisition professionals on how to set the appropriate CMMC levels for each contract.
How will CMMC compliance be different from compliance with NIST SP 800-171 through DFARS 252.204-7012?
CMMC merges several cybersecurity control standards, including NIST SP 800-171, into a single, unified standard. It goes beyond NIST SP 800-171 to include the assessment of organizational cybersecurity practices and processes in addition to the assessment of technical systems and practices. However, CMMC compliance will not imply NIST SP 800-171 compliance. NIST SP 800-171 includes 63 non-federal organization controls that are not covered by CMMC. At this time, contractors will have to continue to comply with DFARS 252.204-7012 requirements.
How will CMMC impact subcontractors?
At a minimum, all subcontractors will be required to carry CMMC Level 1 Certification to continue to participate in DoD contracts. Additionally, a prime contractor may require Level 3 Certification for a contract while subcontractors may require different levels of certification. Prime contractors will work with contracting officers to determine the CMMC levels required for subcontractors. The process to determine subcontractors’ CMMC certification requirements is still evolving.
What is NDIA’s role in CMMC?
NDIA worked closely with the DoD during the development of both CMMC standards and the model for governing the program. NDIA provided comments, recommendations, and critiques throughout that process. NDIA also hosted several opportunities for NDIA members to engage with DoD CMMC leads. Going forward, NDIA will continue to serve as a conduit between NDIA members, DoD, and the governing Accreditation Body, communicating changes to the regulations and processes to NDIA members while translating the impact of these regulations and suggested changes from member companies to DoD and the AB. NDIA will not have an official role within the AB and will not serve as a CMMC third-party inspector.
What questions does NDIA have about CMMC?
Following a March 2020 meeting with Undersecretary of Defense for Acquisition and Sustainment Ellen Lord, NDIA was asked to compile a list of outstanding questions from its membership. The NDIA Cyber Legal Policy Committee (NDIA's group focusing on CMMC) compiled a list of questions that was delivered to the Department of Defense in April 2020. The letter that was sent is viewable here.
NDIA Resources on CMMC
- NDIA’s comment on CMMC version 0.7
- We developed this set of comments through coordination by the NDIA Cyber Legal Policy Committee and incorporate comments related to CMMC v0.6 and v0.7. We delivered this comment to DoD on January 9, 2020.
- NDIA’s comment on CMMC version 0.4
- This set of comments was developed through coordination by the NDIA Cyber Legal Policy Committee in reaction to the first publicly available version of CMMC. We delivered this comment to DoD on September 25, 2019.
- Council on Defense and Space Industry Associations (CODSIA) Comment on CMMC version 0.4
- NDIA is one of seven members of CODSIA and worked with the group to submit a comment on the initial CMMC draft.
- The Role of Cyber Insurance for CMMC
- NDIA members developed this paper to discuss the potential role for cybersecurity insurance in the continually evolving cyber landscape. This paper is a work in progress and suggestions for edits, expansions, and updates should be sent to Regulatory@NDIA.org.
- Exostar-NDIA CMMC webinar featuring Katie Arrington
- NDIA and Exostar co-hosted this webinar to allow Katie Arrington, DoD’s principal on CMMC, to answer questions about the program. This webinar was recorded on October 24, 2019—prior to the public release of CMMC 1.0—and may contain information that is no longer consistent with the finalized version of CMMC.
- NDIA members can join the conversation around CMMC at NDIA Connect
- DOD - CMMCAB Memorandum of Understanding
Other NDIA Cyber Resources
- NDIA 2019 Cyber Report – Beyond Obfuscation: The Defense Industry’s Position within Federal Cybersecurity Policy
- NDIA 2019 Cyber Report Webinar with CREC
- Summary of GAO report on the federal government’s cybersecurity risk management programs
- Summary NIST 171B Standards