Pentagon seeks feedback on draft version of new contractor cybersecurity standards

By Justin Doubleday  / September 5, 2019

The Pentagon is seeking feedback on a draft version of new cybersecurity standards defense contractors will have to start following next year.

On Aug. 30, the Defense Department released "Version 0.4" of the Cybersecurity Maturity Model for Certification (CMMC). The draft is considered the "midpoint" of the CMMC's development, according to an overview briefing published alongside the standards.

Katie Arrington, chief information security officer within DOD's acquisition and sustainment undersecretariat, said the department wants input on the various controls included in the draft document.

"I need to know what ones are not useful, and how you would take that control and make it a requirement," Arrington said today during the Billington Cybersecurity Summit in Washington.

DOD is accepting comments on the draft version of the framework until Sept. 25.

The CMMC will apply to contractors handling controlled unclassified information, which covers a range of data from personally identifiable information to sensitive schematics related to weapon system components.

The new framework has been developed by DOD in coordination with Johns Hopkins University Applied Physics Laboratory, Carnegie Mellon University’s Software Engineering Institute, the Defense Industrial Base Sector Coordinating Council (DIB SCC) and DOD’s Office of Small Business Programs, among other entities, according to DOD.

The CMMC includes five levels ranging from basic cybersecurity controls at level one to "highly advanced" practices at level five, according to the overview briefing. The CMMC combines various cybersecurity standards and best practices, including those in the National Institute for Standards and Technology special publication 800-171, which defense contractors are required to follow today under current defense acquisition rules.

A key feature of the CMMC is accreditation, as companies must be certified at the required level before they can win a contract. Third-party companies will be cleared to conduct audit certifications on behalf of DOD.

The CMMC is intended to improve upon the current rules, which merely require contractors to self attest how they comply with the 110 controls listed in NIST SP 800-171.

As Inside Defense has previously reported, DOD plans to release the final draft, "Version 1.0," of the CMMC in January, according to the overview. The certification requirements will start showing up in requests for information next June and in requests for proposals by fall 2020, the overview states.

Before the final version is released, DOD will release another draft for comment, "Version 0.6," in November, according to the overview.

The Pentagon's goal for the CMMC is to increase cybersecurity across the various tiers of the defense industrial base and reduce the exfiltration of sensitive defense information.

"We need to get down to cyber basics 101," Arrington said today. "We need to level set. That's our biggest problem -- we don't do the basics."