DoD Has Released Model Version 1.0 Of The Cyber Maturity Model Certification Framework

Author:Mr Brian P. Cruz and Meghan D. Doherty
Profession:Pillsbury Winthrop Shaw Pittman LLP


DoD has released the final version of the CMMC framework. DoD anticipates that CMMC requirements will appear in a limited number of solicitations starting in October 2020 and that they will appear in all DoD solicitations by 2026. DoD officials have emphasized the importance of small and medium contractors complying with CMMC requirements, while recognizing that compliance may be more burdensome for these contractors. DoD has released the highly anticipated final Model Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework. As we have reported in client alerts in December 2017, , , October 2018 and December 2019, the development of the CMMC framework is part of DoD's efforts to enhance the protection of sensitive data within the Federal supply chain. The CMMC framework adds a verification and audit component to DoD's cybersecurity requirements. It is anticipated that all contractors throughout the DoD supply chain will need to reach some level of CMMC certification if they are to receive future DoD contracts and subcontracts.

Model Version 1.0 of the CMMC framework includes five levels of cyber security maturity. Level 1, Basic Cyber Hygiene is the baseline compliance level and requires contractors to have practices in place that are equivalent to those required by Federal Acquisition Regulation (FAR) 52.204-21 to handle Federal Contractor Information (FCI). Level 2, Intermediate Cyber Hygiene includes a select subset of practices from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (Revision). DoD officials have described Level 2 as a transitional phase during which DoD will assist contractors, especially small contractors, in achieving compliance with Level 3. Level 3, Good Cyber Hygiene, is the level of compliance that contractors must achieve to handle Controlled Unclassified Information (CUI). At this level, contractors must have in place all of the controls from NIST 800-181 (Revised). Level 4, Proactive and Level 5, Advanced/Progressive, add additional controls for contractors working on the most sensitive contracts. These include controls derived from sources such as NIST, the...

To continue reading