The Department of Defense (DoD), under the direction of Mr. Kevin Fahey and Ms. Katie Arrington, have sharpened the focus on protecting CUI shared with suppliers throughout the Defense Industrial Base (DIB). They have taken an impressive approach to bring together government and industry to move the needle on protecting and preserving our military and economic advantage. The CMMC reflects a straightforward process to assess and certify those who have CUI. The CMMC model includes 5 levels to account for CUI use, supplier roles, and program visibility. Exostar has written various posts about the evolving CMMC Model. Here are some key points we learned or heard again this week:
- There has been more discussion regarding whether CMMC certification should apply only to suppliers sharing CUI. As of right now, all companies that work with the DoD will be required to be at least CMMC Level 1 certified. The government and prime contractors can lessen the risk of CUI leakage by sharing CUI only where and when needed.
- Proper sharing will help lessen the risk of the data being compromised.
- Proper sharing will also help keep costs down, as suppliers that don’t have CUI will not require the flow downs or the higher-level CMMC controls and certification.
- DCMA has conducted various assessments of the existing controls found in Special Publication 800-171 from the National Institute of Standards and Technology.
- The assessments have been collaborative, with an eye toward learning and understanding from one another.
- Both contractors and suppliers, as well as DCMA, have prepared extensively.
- The participants in the assessment have been complimentary of the process and the assessors.
There is certainly more to come. We at Exostar are excited to work with the DoD to fortify and extend the economic and military advantages of the U.S. and those of our allies. We are especially mindful of how this model and working closely with the DoD and DIB can better protect those protecting our freedoms and in harm’s way.