New Mandatory Cybersecurity Requirements for Defense Contractors

 

On January 31, the Office of the Undersecretary of Defense for Acquisition and Sustainment (OSD) released final version of the Cybersecurity Maturity Model Certification CMMC). The Department of Defense (DOD) will begin including the final CMMC model as “go/no go” in new solicitations starting in late summer/early fall of 2020. On the same day, defense officials held a news conference discussing the final version of CMMC.

The purpose of CMMC is to become the “unified cybersecurity standard” for all DOD contractors, including subcontractors. Under this model, Defense contractors, including subcontractors, will be required to be certified among the different CMMC levels (1-5) in order to be eligible for contract award. The level of security is determined based on the security requirements needs for each defense contract. This differs from previous cybersecurity mandates as CMMC will require contractors to obtain a third-party accreditation. The standards for the third-party accreditors is being developed by the CMMC Accreditation Body.  

AGC has communicated the difficulty many contractors have had implementing these new cybersecurity requirements and the challenges of that the CMMC model brings. OSD acknowledges the challenge of being 100% complaint with CMMC, but suggest a firm’s “policies, plans, processes, and procedures” may offset the need for full compliance.

On September 25, AGC of America, along with a coalition of stakeholders, filed comments on Version 0.4 CMMC.

On Dec. 19, AGC hosted a CMMC WebEd that discussed CMMC and how contractors should begin to prepare.  

The CMMC standard and other requirements will be discussed at this year’s Federal Contractors Conference in Washington, D.C.

For more information, contact jordan.howard@agc.org or (703) 837-5368.