Contractor information systems that store government data, referred to as Controlled Unclassified Information (CUI) and/or Covered Defense Information (CDI), will soon have to meet the security standards of the Cybersecurity Maturity Model Certification (CMMC). In January, version 1.0 of the CMMC was released. This is a crucial step in DoD’s efforts to ensure that the supply chain is more secure. All contractors that do business with the DoD will be subject to this compliance.
The CMMC will fortify the requirements of the Defense Federal Acquisition Regulation Supplement (DFARS) clause that specifies the NIST security controls (SP 800-171) implementation. The CMMC model contains five levels of cybersecurity maturity, which will be certified by a third party auditor. If CUI and/or CDI is stored on the contractor’s system, “level 3” will be required. More information on CMMC can be found at, https://www.acq.osd.mil/cmmc/draft.html.