Phone 202 839-5563
DoD is releasing this latest version so that the public can review the draft model and begin to prepare for the eventual CMMC roll out. This document includes CMMC Levels 1 – 3 of the latest version of the CMMC Model (Appendix A) with clarifications for CMMC Level 1 in Appendix B. The updates to CMMC Levels 4 – 5 will be provided in the next public release.
Get a copy of the Cybersecurity Maturity Model.
Information Last Updated: November 7, 2019
The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD(A&S)) appreciates the responses received to the Request for Information (RFI) HQ0034SS10032019 seeking information on how to define the long-term implementation, execution, sustainment and growth of the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body.
As a follow on activity, OUSD(A&S) is organizing a CMMC Accreditation Body Kickoff meeting for organizations and/or individuals interested in performing the following key functions associated with a CMMC Accreditation Body.
The purpose of this meeting is to address only these key topics and requirements associated with forming a CMMC Accreditation Body. This kickoff meeting will not discuss or address any requirements associated with creating C3PAOs or the incorporation of assessment tools or infrastructure. The intent is for the Accreditation Body to address C3PAO and assessment tool requirements after it has formed.
The Accreditation Body kickoff meeting will be held on November 19, 2019, from 09:00 AM to 12:00 PM at the NRECA Conference Center, 4301 Wilson Blvd, Plaza level, Arlington, Virginia, 22203, and will be hosted by Professional Services Council. Please arrive no later than 08:30 AM to sign in and be seated. In order to support maximum participation from parties interested in forming the CMMC Accreditation Body, each organization should limit their participation to no more than two (2) representatives. Participants must register for this event no later than November 14, 2019 at https://www.pscouncil.org/Shared_Content/Events/Event_Display?EventKey=1911CMMC&WebsiteKey=502af8cb-491d-4e9b-b350-c7e3ff5bb9ee to guarantee a seat.
The DoD is working with John Hopkins University Applied Physics Laboratory (APL) and Carnegie Mellon University Software Engineering Institute (SEI) to review and combine various cybersecurity standards into one unified standard for cybersecurity.
The new standard and maturity model will be named Cybersecurity Maturity Model Certification (CMMC)
The CMMC levels will range from basic hygiene to “State-of-the-Art” and will also capture both security control and the institutionalization of processes that enhance cybersecurity for DIB companies.
The required CMMC level (notionally between 1 – 5) for a specific contract will be contained in the RFP sections L & M, and will be a “go/no-go decision”.
The CMMC must be semi-automated and, more importantly, cost effective enough so that Small Businesses can achieve the minimum CMMC level of 1.
The CMMC model will be agile enough to adapt to emerging and evolving cyber threats to the DIB sector. A neutral 3rd party will maintain the standard for the Department.
The CMMC will include a center for cybersecurity education and training.
The CMMC will include the development and deployment of a tool that 3rd party cybersecurity certifiers will use to conduct audits, collect metrics, and inform risk mitigation for the entire supply chain
are only effective in a secure environment.
To succeed with Deliver Uncompromised requires commitment at the enterprise rather than the element level—for the Department and for its contractor base.
Given the threat environment and its consequences for DoD, this report identifies a number of strategic elements—courses of action (COAs)—to address the cyber and supply chain security challenge.
We classify actions into short term (ST), medium term (MT), and long term (LT), based on how quickly and urgently the Department should initiate action.
The COAs are listed and described in more detail further in the report