cybersecurity maturity model certification (CMMC) (noun)
Rick Howard: The word is: cybersecurity maturity model certification.
Rick Howard: Spelled: C for cybersecurity, M for maturity, M for model, and C for certification.
Rick Howard: Definition: A supply chain cybersecurity accreditation standard designed for the protection of controlled unclassified information that the U.S. Department of Defense, or DoD, will require for all contract bids by October, 2025.
Rick Howard: Example sentence: Even if you're not a prime defense contractor, it's likely that you will need to add CMMC to your list of compliance obligations in the near future.
Rick Howard: Origin and context: maturity models in software engineering have been around since 1986. Early capability maturity model approaches were geared toward improving the software development process, and now they have appeared in a range of disciplines from manufacturing to cyberspace.
Rick Howard: The term maturity refers to a set of characteristics, attributes, indicators, or patterns that represent capability and progression. Maturity models, establish benchmark levels to evaluate an organization's process and practices.
Rick Howard: According to Katie Arrington, the DoD CISO for acquisition. "CMMC will ensure a more level and fair playing field for companies bidding on DoD contracts."
Rick Howard: As John Roman from Security Magazine explains, "Up until now, companies that process sensitive government data, whether directly or as a subcontractor, have only been required to self attest as to their knowledge of relevant regulatory requirements. In many aspects, self-attestation has proven unsuccessful as evidenced by notable breaches of critical government information in both the public and private sector."
Rick Howard: Developed by DoD in conjunction with Carnegie Mellon University and Johns Hopkins University, the CMMC requirement is based on a compilation of multiple frameworks and standards, including the NISTSP 800-171, the NIST Cybersecurity Framework, ISO 27001, and others. It replaces DFARS, or the Defense Federal Acquisition Regulation Supplement, the current government contracting rule.
Rick Howard: According to Matt Kelly from NAVEX Global, "The CMMC establishes five levels of cybersecurity "maturity." The more controls you implement, the higher your maturity level, and the more contracts your business would be eligible to bid on."
Rick Howard: In 2021, the DoD started CMMC compliance with a select number of large "prime" contractors. More and more, contractors will be subject to CMMC over the next five years until all defense contracts will require CMMC compliance in fiscal year 2025.
Rick Howard: Nerd reference: In November, 2020, Katie Arrington appeared on the "Coffee and Conversation" YouTube channel to talk about CMMC. She refers to the current source selection process for DoD contracts. With that system. If a potential bidder showed progress in meeting the contract requirements, the source selection authority could potentially rate another contractor who met all of the requirements at the same level.
Katie Arrington: " What's going to happen with the CMMC is it's going to be a go-no-go decision. So when the CMMC assessor comes and does the audit, you either are level one, or you're not. You either are level two, or you're not. You either are level three, or you're not, and up the chain, so it will be equal for all. And it will not be used as a source selection factor. That was one of the big things in DoD. If I made it a source selection factor, that wouldn't be fair. It needed to be a go- no-go decision because it would be arbitrary that it wouldn't be defendable. We needed a third party audit like ISO. It's not that you're sorta ISO certified. It's a go- no- go decision. That's exactly what we're doing with the CMMC."
Rick Howard: Word Notes is written by Nyla Gennaoui. Executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.