The Department of Defense recently released a draft of the unified cybersecurity standards set to be implemented in January 2020. The Cybersecurity Maturity Model Certification (CMMC) aims to enforce the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) frameworks by requiring every contractor to be audited by an independent third-party certifier (3PAO). Up until now, even with DFARS clause 252.204-7012, which requires contractors handling controlled unclassified information to implement the 110 security controls of NIST SP 800-171, contractors have struggled to secure their expanded supply chain with inconsistent cybersecurity practices.
The Cybersecurity Maturity Model Certification
Looking ahead with CMMC, the contractor will use the new framework to self-evaluate and then request a 3PAO certificate at a specific level from 1 to 5, with 5 being the most secure. The 3PAO will validate the contractor’s requested CMMC level based on their policies, documentation, and the implementation of security controls.
After the initial CMMC requirements are released early next year, contractors will have a short 6-month window to get audited and receive their ratings. By June 2020, contractors can expect to see Requests for Proposal specifying levels needed to compete on each contract. Recognizing that increasing compliance may be expensive, the DoD is now allowing contractors to mark new security costs as “allowable” items in proposals.
Guiding the CMMC Framework
As the single largest provider of cyber services and capabilities to DoD, Booz Allen is working closely with the Federal Government to establish and refine the new CMMC framework. We’re the leading provider of professional and managed security services in North America, supporting the Department of Homeland Security Continuous Diagnostics and Mitigation efforts to nearly 80 percent of the Federal Government within 13 of the largest agencies, for more than 4 million network-connected devices. This includes the Departments of the Treasury (and all bureaus), Health and Human Services (and all operating divisions), Agriculture, Interior (and all bureaus), NASA (and all mission centers), and many others. For more than 5 years, we’ve helped them with addressing critical cyber capability gaps and fortifying the security of networks, systems, and data.
In addition, Booz Allen supports critical cyber missions for all six major cyber commands: United States Cyber Command (USCYBERCOM), U.S. Army Cyber Command (ARCYBER), 24th Air Force, Navy 10th Fleet, U.S. Marine Corps Forces Cyberspace Command (MARFORCYBER), and Defense Information Systems Agency (DISA). We ensure the nation’s cyber mission forces have advanced offensive and defensive platforms to defeat U.S. adversaries in cyberspace.
Unparalleled Tradecraft and Flexible Delivery
With strong cybersecurity acumen and systems engineering expertise, Booz Allen continues to leverage world-class talent, tradecraft, and experience to defend our clients. Our solutions-based approach tailors cyber defenses through risk assessments, design, and implementation to secure our clients’ most critical assets.
We’re ready to help you understand what to expect and stay ahead of the impending implementation of the CMMC framework. Find out more by emailing [email protected] or visiting our Commercial Strategy page.