The Cybersecurity Maturity Model Certification (CMMC) is a verification effort being refined for release by the Department of Defense (DoD), requiring DoD contractors, sub-contractors, and suppliers to be CMMC certified to bid on DoD supply chain opportunities. CMMC is a requirement developed from the urgent need for an auditable system to hold DoD contractor’s accountable for maintaining the cybersecurity compliance efforts they must abide by. Until now, DoD contractors have only been held responsible for following DoD’s current security requirements, Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, released in 2013, and National Institute of Standards and Technology (NIST) SP 800-171, released a few years later, via the honor system, a protocol that has yielded underwhelming results. Contractors with the best intentions, promising to adhere to these standards and others, were found to waiver in their performed compliance with DoD cybersecurity requirements.
With an agency-wide movement to improve cybersecurity efforts revving up in recent years, the DoD hopes CMMC will halt the leak of Controlled Unclassified Information (CUI) that is accessed by thousands of DoD contractors in the supply chain. Currently in the final stages of development, the requirement for DoD contractors to achieve at least Level 1 of CMMC certification is expected to debut in Requests for Proposals (RFP) and Requests for Information (RFI) sometime mid-year 2020. Contractors interested in working with the DoD must be appraised by a third-party who is vetted by the DoD and appointed to confirm the Level at which the contractor will be certified. At the time of this article’s release, CMMC will have five levels, with Levels 4 and 5 reserved for a small subset of the Defense Industrial Base (DIB) sector that supports DoD critical programs and technologies. CMMC Levels range from “Basic” to “Advanced / Progressive.”
Kingfisher Systems, Inc. (Kingfisher) is a trusted contractor of the DoD and an organization on the pulse of innovation, compliance regulations, and evolving Government requirements. Like many DoD contractors in the supply chain, we are actively preparing for our own CMMC appraisal and certification, regularly tracking CMMC updates as they are released. It is important to know that contractors who either choose not to be certified or fail the certification process will not be able to offer support to the DoD until certification is achieved. An expected addition to future DoD solicitations, the intent of the CMMC requirement should be evaluated by contractors as a “go/no go” decision item.
While DoD has made substantial efforts to communicate their intent to initiate this new certification requirement, many DoD contractors may be underinformed as to how this requirement will affect their ability to bid on upcoming DoD opportunities. Like many new initiatives implemented by the Government, there will likely be a period of adjustment while contractors work to understand, prepare, and execute the auditing process. Kingfisher is actively preparing for our own appraisal, with the intention to achieve a CMMC certification. “We are pleased the Government is working to improve contractor accountability for maintaining cybersecurity at a deeper, quantifiable level. Kingfisher is dedicated to continuing our tracking of DoD-issued updates concerning CMMC and working to predict the costs and manpower necessary to complete our desired certification level,” says Michael Faine, Kingfisher’s Director of Information Technology. Kingfisher is currently Capability Maturity Model Integration (CMMI) for Development (DEV) Level 3 appraised, International Organization for Standardization (ISO) 9001:2015 certified, and a ServiceNow certified integration partner. We look forward to achieving the CMMC certification necessary to continue the important work we do in support of DoD programs and initiatives.
The United States Secretary of Defense for Acquisition and Sustainment has more information on DoD’s CMMC 2020 requirements here: CMMC.
For more information on Kingfisher, including career opportunities and our commitment to community service, please visit www.kingfishersys.com.