UPDATED November 8th, 2019

Cybersecurity Maturity Model Certification – CMMC

Topic:Understanding Cybersecurity Maturity Model Certification (CMMC): How it will affect your organization and how to prepare.

Presenter: Katie Arrington, Chief Information Security Officer, Office of the Under Secretary of Defense for Acquisition and Sustainment.

Click here to download Ms. Arrington’s slides.

Topic: “Detailed Analysis of CMMC’s Impact on Suppliers.”

Presenter: Panel of CISOs from Lockheed Martin, Raytheon, BAE Systems and Huntington Ingalls Industries.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) will be a new requirement for existing DoD contractors, replacing the self-attestation model and moving towards third party certification.

The certification will be built on existing requirements such as NIST SP 800-171, NIST SP 800-53, AIA NAS9933, private sector contributions, and input from academia. This new certification will assure any existing problems within the Defense Industrial Base will be covered and secure. The CMMC will consist of 5 levels to measure the cybersecurity practices of contractors.

*Update: December, 2019: CMMC ver 0.7 released.
*Update: November 8, 2019: CMMC ver 0.6 released.
*Update: October 10, 2019: CMMC Accreditation Body RFI
*Update: September 5, 2019: CMMC ver 0.4 released
*Update: September 3, 2019: The Verdict is in: Self-Attestation is Out
*Update: August 27, 2019: Why Security Can’t be the 4th Procurement Pillar

Exostar’s regularly updated LinkedIn Page on CMMC.

Current Certification Model as of November 2019 (subject to change, we will post updated charts when available)

CMMC Timeline of Implementation (As of August 2019)

CMMC ver. 0.1 – May, 2019
 CMMC ver.0.2 identified/reviewed gaps between other standards and CMMC phase 1 model – July, 2019
• CMMC Listening Tour – July to Oct. 2019
• CMMC starts initial pathfinders – Fall, 2019
CMMC ver. 0.4 – Released
CMMC ver. 0.6 – Nov. 2019
• Training of 3rd party assessment organizations for CMMC – Jan. to June, 2020
CMMC to start appearing in RFIs – June, 2020
CMMC to start appearing in RFPs – Sep. 2020


Frequently Asked Questions

  • What is CMMC?

    CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.”

  • Why is CMMC being created?

    DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

  • How can my organization become certified?

    Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.

  • How do I request certifcation assessment?

    We expect that there will be a number of companies providing 3rd party CMMC assessment and certification.

  • I am a subcontractor on a DoD contract. Do I need to be certified?

    Yes, all companies doing business with the Department of Defense will need to obtain CMMC.

  • How often does my Organization need to be reassessed?

    The duration of a certification is still under consideration.

Products to Assist with NIST 800-171 Compliance

Building and maintaining compliant Security policies can be daunting. Many suppliers lack the time or in-house resources needed to create and maintain the security policies mandated by NIST 800-171 and similar standards. Exostar’s PolicyPro removes the mystery and assists any defense supplier with compliance.

Exostar PolicyPro is a cloud-based software solution that uses advanced technologies to help you build, assess, and maintain all of the policies you need to demonstrate NIST SP 800-171 compliance – quickly and inexpensively (sign up today for under $1000).  Best of all, you can continue to do so even as the 800-171 standard evolves or new standards are introduced into the DoD procurement process.

Read More