The Pentagon has announced that it is developing a new cybersecurity certification program
White Paper
|
june 2020
The Department of Defense (DoD) is no longer entrusting national security to contractors who self-certify:  CMMC requires a third-party audit and certification.  The Pentagon has announced that it is developing a new cybersecurity certification program for DoD contractors and their non DoD supply chain.  The rationale behind this certification is to combine various cybersecurity standards into one unified standard for cybersecurity to protect the United States defense industrial base (DIB) and its controlled unclassified information (CUI).
DIB refers to the government’s industrial assets that are of direct or indirect importance for the production of equipment for our armed forces. The loss of CUI from the DIB sector is a direct risk to national security. The Center for Strategic and International Studies (CSIS), in partnership with McAfee, reports that as much as $600 Billion, nearly 1% of global GDP, may be lost to cybercrime each year.
As such, CMMC aims to replace the current cybersecurity standard NIST 800-171 which falls under Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. CMMC will serve as the enforcement that is lacking in the current DFARS rule. The current DFARS cybersecurity clause does not require third-party audits. Contractors had been permitted to self-certify that they have implemented NIST 800-171. CMMC requires independent, third-party audits. All federal contractors—prime or sub—
in the supply chain
will need to be certified to do work with the DoD.