New Cybersecurity Certification Requirements
The Office for the Under Secretary of Defense and Sustainment (OUSD (A&S)) recently released its Cyber Security Maturity model Certification (CMMC). DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs) and the Defense Industrial Base (DIB) all had a hand in developing the CMMC model. This model measures cybersecurity maturity using five levels (from basic to advanced) and aligns a set of processes and practices with the type and sensitivity of the information to be protected and any associated threats to that information. (CMMC Model v1.0, January 30, 2020)
DoD’s CMMC enhances the protection of:
- Federal Contract Information (FCI) provided or generated by the government, but not intended for public release
- Controlled Unclassified Information (CUI), which requires safeguarding or dissemination consistent with laws, regulations and government-wide policies. (ibid)
The CMMC model includes the safeguarding requirements for FCI spelled out in FAR clause 52.204-21 and the security requirements for CUI stated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 per DFARS clause 252.204-7012 [3,4,5].
Included in the CMMC model is a certification piece verifying the implementation of cybersecurity maturity measure processes and practices. This is intended to deliver assurance to the DoD that contractors and subcontractors can sufficiently protect CUI at a level equal to the risk. (ibid)
To obtain a full overview of the CMMC Model, domains, practices, and processes, please review the Cybersecurity Maturity Model Certification.
Have questions about the effect on your current contract or one in works? Give us a call.