OODA Loop

Understand tomorrow, today.

Department of Defense Implements Cybersecurity Maturity Model Certification Rule

Archive, OODA Original, Security and Resiliency / by

After years of staffing, coordination, pushback, revamping and rewriting, the Department of Defense has finalized rules for the Cybersecurity Maturity Model Certification (CMMC) program.

This rule transitions defense contractors from self-certification to mandatory compliance through third-party assessments. This shift aims to secure Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the Defense Industrial Base.

If you are a DoD contractor, or a supplier to them, pay attention. The rule is in effect in 60 days. Timing for full compliance varies depending on your situation. Best get moving now if you are not already.

Why This Matters:

  • Goal of Strengthening Cybersecurity Posture: CMMC establishes a structured, tiered model to verify defense contractors’ adherence to defined cybersecurity standards, elevating the overall resilience against rising threats in the supply chain.
  • Risk Mitigation: By mandating cybersecurity certification levels, CMMC enhances accountability and ensures that only compliant contractors can work on sensitive government projects, mitigating risks from cyber incidents.
  • More Friction and Bureaucracy and Cost: There is no sugar coating it. The CMMC has good goals but will have unfortunate unintended consequences that savvy leaders will seek to understand and plan for.

Key Points:

  • Cybersecurity Maturity Model Certification Levels: The certification introduces five levels of maturity. The higher the level, the more stringent the cybersecurity measures. Companies handling more sensitive data must meet higher requirements.
  • Phased Implementation Timeline: The Department of Defense will gradually enforce Cybersecurity Maturity Model Certification requirements in contracts, giving organizations time to adapt to the changes and prepare for certification. Full compliance is expected over the next several years.
  • Third-Party Assessments by Certified Third-Party Assessment Organizations: Unlike previous models that allowed contractors to self-certify, CMMC requires assessments by Certified Third-Party Assessment Organizations (C3PAOs) to ensure compliance with required maturity levels.
  • Supply Chain Focus: Contractors must ensure that not only their own practices but also those of subcontractors comply with the CMMC requirements, creating a more resilient supply chain.

Recommendations:

  1. Early Engagement: Defense contractors should conduct self-assessments and implement needed changes ahead of the phased rollout of Cybersecurity Maturity Model Certification requirements.
  2. Gap Analysis: Perform a detailed gap analysis to understand current cybersecurity practices against CMMC requirements and prioritize areas for improvement.
  3. Engage a Certified Third-Party Assessment Organization: Engage with a Certified Third-Party Assessment Organization early to better understand the expectations and prepare for the assessment process.
  4. Subcontractor Coordination: Evaluate the Cybersecurity Maturity Model Certification readiness of all subcontractors and ensure they meet the appropriate certification levels to maintain compliance throughout the supply chain.
  5. Use AI to your Advantage Here: Every CIO and CISO in firms serving DoD should use AI to help ensure compliance. It is even more critical for organizations that do not have robust security teams to leverage AI for their advantage. I’m an advisor to Blackwirelabs.ai and am a member of the community of experts that support their AI enabled approach. Blackwire levrages an advanced AI trained to help companies spend more time on value creation and less on risk mitigation. It is a powerful AI but is based on human-vetted insights and rigorous methodologies and can help any firm get a leg up on CMMC.

What’s Next:

  • Expected Outcomes: DoD believes organizations that implement Cybersecurity Maturity Model Certification will better secure critical defense information, making the overall defense sector less susceptible to breaches and cyber threats. Leaders should work to make this a reality.
  • Broader Trends: Cybersecurity Maturity Model Certification aligns with broader governmental efforts to reinforce the cybersecurity posture of national supply chains amidst escalating cyber threats from state actors and cybercriminal groups.

For the full report, see: Federal Register Notice – Department of Defense Cybersecurity Maturity Model Certification Final Rule.

About Bob Gourley

Bob Gourley is an experienced Chief Technology Officer (CTO), Board Qualified Technical Executive (QTE), author and entrepreneur with extensive past performance in enterprise IT, corporate cybersecurity and data analytics. CTO of OODA LLC, a unique team of international experts which provide board advisory and cybersecurity consulting services. OODA publishes OODALoop.com. Bob has been an advisor to dozens of successful high tech startups and has conducted enterprise cybersecurity assessments for businesses in multiple sectors of the economy. He was a career Naval Intelligence Officer and is the former CTO of the Defense Intelligence Agency.