Breakout: Cybersecurity Maturity Model Certification
The continued aggregate loss of controlled unclassified information from the Defense Industrial Base (DIB) increases risk to national economic security, and in turn, national security.
Malicious cyber activity cost the U.S. economy between $57 billion and $109 Billion in 2016 (“The Cost of Malicious Cyber Activity to the U.S. Economy, CEA” February, 2018). In addition, approximately $600 Billion, nearly 1 percent of global GDP, is lost to cybercrime each year (“Economic Impact of Cybercrime-No Slowing Down” February, 2018). To improve the cybersecurity culture across the Department of Defense (DoD), cybersecurity must be baked into everything that we do – and from the beginning.
To secure our Supply Chain, the DoD is creating the Cybersecurity Maturity Model Certification (CMMC) program in collaboration with Johns Hopkins Applied Physics Lab, Carnegie Mellon Software Engineering Institute, and Industry. The CMMC firmly establishes security as the foundation to acquisition and as something that cannot be traded along with cost, schedule, or performance. Furthermore, the CMMC combines the various cybersecurity standards into a unified standard that will serve as a requirement to do business with the Department.
The requirement for CMMC is the Department’s first step in enhancing the security, visibility, and situational awareness of the DIB and the 300,000 organizations that make up the DoD Supply Chain. To ensure scalability, the DoD, in partnership with the Defense Contract Management Agency and the Defense Counterintelligence Security Agency, will incorporate tools to conduct audits, collect metrics, and inform risk mitigation. Additionally, the Department will outsource assessments to independent third party organizations.
The CMMC framework will be made fully available in January 2020 and by June 2020, industry will see CMMC requirements as part of Requests for Information. By fall 2020, CMMC requirements will be included in Requests for Proposals and will be a go/no-go decision.