CMMC: The shifting cybersecurity landscape- DoD is tackling CUI leakage.


DoD is plugging CUI leakage because loss of controlled unclassified information to adversaries compromises national security. The implications to industry are significant – our webinars and other resources explain. Here are a few key points you should know:

  • CMMC (Cybersecurity Maturity Model Certification), a framework that builds on existing cybersecurity controls, rolls out in 2020. CMMC is intended to improve the security posture of organizations across the defense industrial base (DIB) and reduce cyber risk by shifting from supplier self-attestation to objective third-party certification, and from compliance to maturity. For organizations, this means moving from saying you’ve implemented security controls to demonstrating that you’ve implemented them, you’re using them, and that they’re effective.
  • Third-party audits are coming to enhance the effectiveness of DFARS 7012 and NIST 800-171 until contracts are subject to CMMC.
  • OEMs will have to demonstrate maturity relative to the effectiveness of their security controls.
  • For now, contractors can still self-attest to proscribed cybersecurity for contracts not yet subject to CMMC. Be aware that the government has been employing the False Claims Act against organizations that misrepresent compliance.

You can’t afford to wait to implement CMMC controls and practices.

With the release of CMMC V1.02 and the DFARS Interim Rule, obligations and timing have become much clearer.

With CMMC gradually rolling out over the next five years, OEMs remain responsible for assuring the cybersecurity of their supply chains as directed by DFARS 7012. They remain responsible for suppliers’ self-attestation relative to compliance with the 110 security controls mandated by NIST 800-171.

To further boost the efficacy of the current DFARS, and to better secure the supply chain, DoD will be stepping up audits of both OEMs and suppliers, and has begun penalizing organizations under the False Claims Act for knowingly submitting false data.

How Exostar can help

In this climate of heightened scrutiny, Exostar can help you streamline and assure supply chain compliance with DFARS. Businesses can, and are, employing our solutions to save time and costs associated with validating cybersecurity with the rigor required by DoD.

See how we can help:

Partner Information Manager (PIM)

Certification Assistant