BREAKING: Pentagon Rolling Out New Cybersecurity Standards for Industry
The Defense Department unveiled its plans Jan. 31 for implementing a new set of cybersecurity standards that companies must eventually adhere to if they want to do business with the Pentagon.
Cybersecurity Maturity Model Certification version 1.0, or CMMC, is an effort to prod the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by foreign adversaries such as China.
“Adversaries know that in today's great power competition environment, information and technology are both key cornerstones [of national security], and attacking a sub-tier supplier is far more appealing than a prime,” Undersecretary of Defense for Acquisition and Sustainment Ellen Lord told reporters at the Pentagon.
The new model will only apply to new contracts, Lord noted. Although cybersecurity is of great concern to the military, the new standards will be phased in over the next five years. By fiscal year 2026, all new Defense Department contracts will contain CMMC requirements.
The Pentagon is taking a “crawl, walk, run” approach, Lord said.
The lower tier of the supply chain is of particular concern. “We know that the adversary looks at our most vulnerable link, which is usually six, seven, eight levels down in the supply chain,” she added.
The CMMC combines multiple cybersecurity standards and references including NIST Special Publication 800-171, into one unified set of benchmarks.
A progressive scale with levels 1 to 5 will be applied depending on the program and specific work that a company will be doing, said Katie Arrington, chief information security officer in the acquisition and sustainment office.
Level 1 standards will be the least stringent and levels 4 and 5 the most burdensome.
“Cybersecurity is not one-size-fits all,” she said. Level 1 will be focused on “basic cyber hygiene” practices. “Level one would be: does your company have antivirus software? Are you updating your antivirus software? Are you updating your passwords?” Arrington explained.
Level 2 will require “intermediate cyber hygiene.” By Level 3, the bar will be much higher.
“It's a big move from level 1 to level 3,” Arrington said. “You're moving from 17 to over 110 controls.”
Levels 4 and 5 will apply to “very critical technology companies that will be working on those [most critical] programs,” she said.
In a change from previous policies, CMMC will require companies to be accredited by third-party assessment organizations, or C3PAOs.
“Of course we have a new acronym for you,” Lord joked.
Arrington said: “We need to make sure that our industry partners are prepared to take on the work, and the third-party auditors will ensure that they are implementing the practices that we need in place to secure the national defense and our industrial base.”
The new accreditation body will select the C3PAOs. The body — which will consist of 13 members from the defense industrial base, cybersecurity community and academia — was created earlier this month. It will be responsible for training and certifying candidate C3PAOs and individual assessors.
“There are multiple companies that are interested right now, but we have not officially designated who is qualified,” Lord said.
The Defense Department will deliver CMMC version 1.0 to the accreditation body early next month.
“Obviously this is a complicated rollout for industry and we're being realistic in terms of making sure we have pathfinder projects, and then we implement it and learn, get the feedback and go on,” Lord said.
The new requirements will be included in requests for information in the June timeframe for the pathfinder projects, followed by corresponding requests for proposals around September. CMMC standards must be met at the time of contract award.
The Pentagon is working on ways to ensure that complying with the new rules won’t be too costly for smaller businesses and compel them to stop doing business with the military, Lord noted.
“One of my biggest concerns is implementing CMMC for small and medium businesses because that's where a large part of innovation comes from,” she said. “We need small and medium businesses in our defense industrial base and we need to retain them.”
A number of primes who have come up with ideas about how to more cost effectively accredit lower-tier suppliers that they work with, including developing a number of different groups to streamline the certification process, she said.
“We understand that CMMC could be a burden to small companies particularly, and we will continue to work to minimize impact — but not at the cost of national security,” she added.
Lord noted that the Pentagon has sought input from companies large and small, lawmakers and staffers on Capitol Hill, academia and trade organizations such as the National Defense Industrial Association, before issuing the new standards.
She recommended that companies who need guidance about the CMMC reach out to defense associations. More information about the new standards can also be found on the Pentagon’s CMMC website.
“The industry associations are going to play a pivotal role here and they provide an enormous service to industry to say what does it take to work with DoD,” Lord said. “They are going to be really key in all of this.”