By Robert Stewart, CVS-Life, FSAVE, PMP, PMI-RMP – Vice President/President Elect, SAVE International
Cybersecurity has become an increasingly urgent concern throughout the globe with the proliferation of the internet and the reliance of the public and private sectors on this critical infrastructure to conduct its daily business. The recent hostilities between Russia and Ukraine, and the global response to it, have further heightened cybersecurity concerns.
The U.S. Department of Defense has been working with the defense contracting community to develop standards and procedures to better manage and protect government information from cybersecurity threats over the past several years. The purpose of this article is to share with the VM Community the potential implications to those individuals that do work with the U.S. federal, state, and local governments.
The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework and assessor certification program designed to increase the trust in measures of compliance to a variety of standards published by the National Institute of Standards and Technology.
The CMMC framework and model was developed by Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) of the United States Department of Defense through existing contracts with Carnegie Mellon University, The Johns Hopkins University Applied Physics Laboratory LLC, and Futures, Inc. The Cybersecurity Maturity Model Certification Accreditation Body oversees the program under a no cost contract.
CMMC, which often requires a third-party assessment if a contractor handles Controlled Unclassified Information, will impact the $768bn Defense industry – 3.2% of the Gross Domestic Product of the United States of America.[1]
CMMC provides a framework to establish three levels of certification that communicate increasing levels of cybersecurity measures to be undertaken by defense contractors (which includes VM consultants working with the DOD). It is the current understanding that level 2 certification may be most applicable to the VM consulting community.
CMMC will require contractors to undergo a cybersecurity readiness assessment and then make the necessary enhancements to its cybersecurity practices and systems to be eligible to provide services to the DOD. Note that these requirements are believed to be several years away from being implemented as part of the Federal Acquisition Regulations (FAR), however, with the recent changes in the current geopolitical environmental, this could be accelerated.
Of particular note is that it is probable that most DOD work will be designated as Compartmentalized Unclassified Information (CUI) which requires special cybersecurity measures to handle appropriately. It is also possible that the rest of the federal government will adopt these requirements. As many state and local agencies receive federal funding, this may further trickle down to these entities.
While it is difficult to predict the proliferation of these requirements, it is logical that standards for cybersecurity are emerging as an important matter and that they are long overdue. It is recommended that those in the VM Community that are engaged in work with the federal government begin looking into CMMC now and begin thinking about their cybersecurity practices proactively now rather than reacting to changes in the FAR.
Links to additional articles on this issue can be found below:
Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward
CMMC Accreditation Body looks ahead to voluntary assessments, growing ‘ecosystem’
Pentagon expects to submit
first CMMC rulemaking for OMB review in July
[1] Wikipedia – Cybersecurity Maturity Model Certification – Wikipedia