#RSAC: The Cybersecurity Maturity Model Certification Program is Coming

  • Kelly Fletcher, principal deputy chief information officer at the Department of Defense

    In a panel session at the RSA Conference 2022, a panel of experts discussed the implications and the opportunities for the US Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program.

    Panel moderator Lauren Williams, a senior editor at FCW and Defense System, explained that if an organization wants to do business with the US Department of Defense, it will have to comply with the Cybersecurity Maturity Model certification program eventually. The Department of Defense has been talking about the CMMC for the last several years as an approach to bringing a unified security standard to defense contractors. Now in 2022, there is an effort to define the 2.0 version of the specification.

    Kelly Fletcher, principal deputy chief information officer at the Department of Defense said that CMMC1.0 had five levels and was quite complicated. The new CMMC 2.0 only has three levels of compliance and aims to enable a streamlined process that will be easier for organizations to understand.

    “It’s not that the cybersecurity controls aren’t as robust, it’s just that the process is more understandable,” Fletcher said about CMMC 2.0

    CMMC 2.0 is Coming in 2023

    Fletcher explained that CMMC 2.0 is currently in the rule-making phase. The plan is for the plan to go to the US Office of Management and Budget (OMB) for public comment in March 2023. The current expectation is that CMMC will impact US government contracts in the summer of 2023.

    “If you’re doing work with DoD already, you should look at your contract’s cybersecurity requirements because a lot of the requirements that are in contracts today are the same as what CMMC will have,” Fletcher said.

    Matthew Travis, CEO of the CMMC Accreditation Body, explained that third-party assessment organizations are going to be doing the assessments of the defense contractors. Travis expects that there will be a need for continuous monitoring and assessment rather than just point-in-time compliance for the CMMC.

    Michael Baker, a chief information security officer at DXC Technology, suggests that organizations should start looking at CMMC now and evaluate the supply chain, including critical subcontractors.

    “I would really prioritize that if you have the resources to get ahead of CMMC, make sure that you’re fulfilling the obligations,” Baker said. “It’s the right thing to do for your business because you don’t want to have a vulnerability in your supply chain that then you have to answer to the DOD for in the long run because you weren’t doing what you needed to do.”