The Department of Defense (“DoD”) recently announced that a new cybersecurity standard and certification program for defense contractors, the Cybersecurity Capability Model Certification program (“CCMC”), is currently under development and nearly ready for deployment.
Of course, being mindful of cybersecurity should be nothing new for companies contracting with the DoD (or subcontractors of those companies). After all, for the past several years, contractors working for the government have been bound by the Defense Federal Acquisition Regulation Supplement (“DFARS”), which generally requires the safeguarding of sensitive, unclassified information and the reporting of breaches involving such information.
But the CCMC is expected to bring new requirements and additional layers of complexity to the table. Most notably, CCMC will require anyone wishing to contract with the DoD to undertake a cyber audit, the results of which will be measured against the program’s five-level cybersecurity maturity model. The various levels will be used as minimum benchmarks that must be met by contractors that wish to bid on DoD projects. If a contractor’s certified maturity level falls below the one required for any particular contract, that contractor cannot bid on the project. Moreover, companies will not be able to self-certify, meaning that the audits they must perform need to be completed by independent, third-party firms, which raises potential confidentiality and privilege concerns.
Additional information pertaining to CCMC, including a DoD website containing FAQs, is expected within the coming months. In the meantime, Pentagon officials have already started to make their rounds to familiarize the industry with what is coming down the pike. With a launch of the new program expected in January 2020, defense contractors should be preparing themselves now for what’s ahead.