The Department of Defense is creating a Cybersecurity Certification standard, to ensure that any vendor doing business with the agency has an adequate cybersecurity system, and can handle Controlled Unclassified Information.
The first draft Cybersecurity Maturity Model Certification ( CMMC) has just been published, and is available for public comment.
The certification framework will be released in January, and will become a requirement for any company doing business with the DoD by the summer/fall of next year.
*Even if your company does not handle CUI, you will still need to get the basic level of certification in order to business with the Dept. of Defense – Subcontractors included!*
The CMMC will combine various cybersecurity standards and best practices, and will have several certification levels, ranging from basic cyber hygiene to more advanced processes.
The agency will determine the appropriate level of Certification for each contract, which will be listed in the RFP document. Obtaining the required certification level will be considered an “allowable cost”.
The department hopes to make these certifications cost-effective and affordable for small businesses to implement at the lower CMMC levels. Certified independent 3rd party organizations will conduct the certifications.