New DoD Security Certification on the Horizon

Nov. 10, 2020
Integrators and contractors who work with the government should prepare to comply with new cybersecurity requirements

This article originally appeared in the November 2020 issue of Security Business magazine. When sharing, don’t forget to mention @SecBusinessMag on Twitter and Security Business magazine on LinkedIn.


There is a lot to think about as you run your business, and if you contract with the U.S. Department of Defense (DoD) or its supply chain, there may be even more to think about.

In January 2020, the DoD launched a new compliance program called the Cybersecurity Maturity Module Certification (CMMC). This new standard builds on the existing DFARS 252.204-7012 regulation by adding five maturity levels, along with a verification and certification component. Prior to CMMC, organizations only had to self-attest that they met the DFARS requirements without requiring an external audit.

It is estimated that there are more than 300,000 companies in the Defense Industrial Base sector, and with such a large number of these organizations interacting with sensitive data in one way or another, the DoD is aiming to address numerous cyber risks through the new program.

Contractors who want to bid on DoD projects will need to become CMMC certified, possibly as early as next year, and certainly no later than 2025.

Does CMMC Apply to You?

If you do business directly with the DoD or with a sub-contractor to fulfill part of a DoD contract, the answer is probably yes. If you are producing a commercial-off-the-shelf product, then CMMC may not be required. All this said, CMMC compliance has not been made mandatory just yet, and the DoD has not fully ramped up to facilitate granting the certification at this moment.

What we do know is that certifications will be completed by a CMMC Third Party Assessment Organization (C3PAO), and the rules for becoming one have only just recently been established. You can get a fairly good sense of where the process stands by checking in with the CMMC Accreditation Body (www.cmmcab.org), which is currently at the stage of accepting applications for assessors.

Once the certification program is running and a contractor is certified, their certification will enable them to bid applicable RFPs at the level they have certified to. It is expected that each contractor’s certification will remain valid for three years.

Leveling up – The CMMC Framework

CMMC incorporates 171 security controls, along with processes for defining and maintaining security programs, that are divided into five distinct levels of maturity. The “Maturity Levels” identify whether a given contractor has the necessary security posture for a DoD contract.

The CMMC maturity levels break down as follows:

Level 1: This basic compliance level defines minimal acceptable practices. The aim here is that the contracting company will carry out basic cyber hygiene practices such as anti-virus protection and strong password management.

The main focus of Level 1 is protecting Federal Contract Information: “Information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government.”

Level 2: Under this level and the levels further, the focus shifts to protecting Controlled Unclassified Information (CUI). CUI was developed to help protect the broad range of information that is not expressly classified (which has its own set of compliance and clearance requirements), but which must nevertheless be protected due to its sensitive nature.

At this level, a contractor is obligated to implement some of the U.S. Department of Commerce National Institute of Standards and Technology’s (NIST) SP 800-171 security controls.

Level 3: The contracting company must have increased policies, plans, training, and controls in place. Roughly speaking, this level implements all NIST SP 800-171 security controls to protect CUI, along with additional security requirements.

Levels 4 and 5: At these levels, a compliant organization must have developed proven, mature skills and practices to deal with advance persistent threats. The difference between the levels boil down to how many controls have been deployed, with an increased sophistication of these techniques at Level 5.

How to Prepare Your Business

Just because you cannot get CMMC certification today does not mean that you shouldn’t prepare for it now. After all, Level 1 is about carrying out basic security processes that all organizations should embrace. For many small and mid-size businesses, cybersecurity can seem challenging, but there are cost effective ways to make swift and efficient improvements. Here are a few things you can do right now to get started:

  • Take your cybersecurity beyond anti-virus and firewalls: Modernized cybersecurity requires multiple layers of protection including policies and plans, employee awareness training, and technology that goes beyond traditional methodologies. Understanding the breadth of your current program is the first step to improvement.
  • Assess your security posture: A cybersecurity assessment can help you identify where there may be weaknesses in your program, and next steps for remediation. You can use software tools that allow you to conduct self-assessments with grading, compliance mapping and recommendations for improvement. You may also decide to hire a cybersecurity consultant to conduct these evaluations with you.
  • Keep an eye on the CMMC process over the next few months: The details around CMMC are still evolving, so to make sure that none of your bids are held up or declined because you are not on top of your CMMC certification, regularly check resources from The Office of the Under Secretary of Defense for Acquisition & Sustainment (www.acq.osd.mil/cmmc/index.html).  

Whatever CMMC Maturity Level you wind up obtaining to win DoD contracts, do not forget that checking the CMMC box is not the only reason to make security improvements. Contracting organizations should take security seriously…right now. Everyone benefits if evolving threats are dealt with effectively, data and programs are not compromised, and the entire defense supply chain develops a culture of security and resilience.

Rob Simopoulos is the Co-Founder of Defendify, the all-in-one cybersecurity platform that makes cybersecurity possible for all businesses. In his 20+ years in the security industry, he has received awards and recognition from many trusted industry experts and publications. Email him at [email protected].

About the Author

Rob Simopoulos

Rob Simopoulos is the Co-Founder of Defendify, the all-in-one cybersecurity platform that makes cybersecurity possible for Small Business. In his 20+ years in the security industry, he has received awards and recognition from many trusted industry experts and publications. Email him at [email protected].