A major shift in cybersecurity requirements for Department of Defense (DoD) contractors is about to come into effect—earlier this month the DoD released for public comment the long-anticipated Version 0.4 of the draft Cybersecurity Maturity Model Certification (CMMC). This new framework to safeguarding controlled unclassified information (CUI), which includes a certification requirement by a third-party auditor, presents both significant opportunities and challenges for DoD contractors.

In an overview briefing on the new model, DoD emphasized that the new framework will impose a unified cybersecurity standard for all DoD acquisitions and, in so doing, “reduce exfiltration of [CUI] from the Defense Industrial base.” To achieve this goal, the new model significantly bolsters the existing compliance regime around cybersecurity—which currently, for the most part, requires compliance with the security standards set forth in NIST SP 800-171 through DFARS 252.204-7012.

CMMC Introduces Five Levels of Cybersecurity Requirements

Most fundamentally, and significantly from the contractor’s perspective, the CMMC introduces a certification requirement by independent third-party commercial organizations. The model further specifies five maturity “levels,” with Level 1 requiring the most basic controls and Level 5 the most sophisticated security processes and practices. Contractors will specify to the certifying entity which certification Level they seek to attain and, upon demonstrating compliance with the required practices, will be certified for that level.

To attain a Level 1 certification, a contractor need only adopt basic cybersecurity practices and perform these in at least an ad-hoc manner; DoD intends this level to be attainable by small firms. Level 3 requires far more robust practices, in particular compliance with the NIST SP 800-171—until now considered the highest compliance standard—and implementation of “additional practices beyond the scope of CUI protection.” Level 5 requires even more robust practices, including “highly advanced cybersecurity practices” resilient against highly advanced threats and defensive responses performed at machine speeds.

Even more importantly, certification at an appropriate Level will soon become a barrier to entry for all DoD contractors. Starting in the fall of 2020, RFP’s will indicate which cyber-maturity Level an offeror must meet as a “go/no go” requirement. In other words, contractors who are not certified, or who do not meet the cybersecurity maturity level specified in the solicitation, will be precluded from participation.

This highlights the need for contractors to target compliance with the new framework as soon as practicable. Contractors who fail to quickly adapt to the new compliance regime may find themselves at a significant competitive disadvantage. It is important to understand, however, that the recent release is just a draft and that a few important details are yet to be worked out; contractors can expect release of additional information and revisions before Version 1.0 of the CMMC framework is released sometime in January 2020. While CMMC for now only applies to DoD contractors, it remains a distinct possibility that civilian agencies will soon follow suit.