Everything You Need to Know to Comply with the Defense Department's New Cybersecurity Requirements

Recently introduced, the Cybersecurity Maturity Model Certification framework will dramatically change the process for IT vendors looking to do business with the Defense Department.

Recently introduced, the Cybersecurity Maturity Model Certification framework will dramatically change the process for IT vendors looking to do business with the Defense Department. Put simply, vendors will no longer be able to self-attest that all necessary controls are either in place or will be in place within a specified time frame; now, they'll be assessed by a third party and issued a level rating.

Greg Thornton with SSE Inc. in St. Louis, MO shares insights into CMMC and what will be required from IT vendors looking to work with DoD.

How does it work?

The Department of Defense is currently setting up the accreditation body that will oversee the program. Sometime this month, they will release the memorandum of understanding and then begin the process of credentialing C3PAOs, the third-party organizations that will assess and certify vendors and then monitor those certifications going forward.

Vendors will be certified on a five-tier system based on their progress toward 173 practices and 43 capabilities. The standards used are based on the National Institute of Standards of Technology, international standards and standards that drive aviation. After compiling all standards, the Pentagon worked through the list to reduce it to those that will be used going forward.

How will it impact IT vendors?

There are both advantages and disadvantages to IT vendors. Right now, if two vendors bid on a single project, the vendor with the lower rate will win. However, what clients can't see is that one vendor has 110 controls in place with the other vendor may only have 80 or 90 controls in place and an action plan in motion for the remaining controls. The current process is deceiving to clients and leaves more qualified vendors with less work, in many cases. The new process brings awareness to the difference between a higher bid and a lower bid, giving qualified vendors a better shot at the projects they want.

However, there are disadvantages. Those lower-priced vendors with fewer controls in place may find it more difficult to compete despite lower bids due to the transparency of the rating system. Additionally, not all vendors are in a position to attain certification due to the commitment required to meet all controls. The Department of Defense does plan to offer scholarships or grants to assist vendors who need it.

Are all vendors impacted?

No. Right now, the certification is required for vendors who want to provide contracted services to the Defense Department. However, those working in tech know how critical it is to be nimble and ready for change all times, and this certification program could easily lay the groundwork for the future. Large organizations may choose to adopt the same standard for increased security, marking the beginning of new expectations across the board when it comes to IT vendor selection.

For this reason, it is in the best interest of IT services vendors to work toward certification whether they plan to work for the Defense Department or not and in the best interest of organizations to consider adopting the same or similar standards.

This article does not necessarily reflect the opinions of the editors or management of EconoTimes.