In January, the U.S. Department of Defense released the Cybersecurity Maturity Model Certification requirements, outlining new cybersecurity stipulations for DOD contractors. There is no deadline for compliance with this new standard, but defense contractors should expect to see its specifications incorporated into new DOD contract bid requirements.

Abbreviated CMMC, the model seeks to extend traditional requirements for handling classified information to include security controls around federal contract information and controlled unclassified information that is not intended for public release.

The Cybersecurity Maturity Model Certification includes 17 domains, ranging from Access Control and Configuration Management to Physical Protection and Incident Response. Most security professionals reviewing the domains will not find many surprises, as the domains and their component capabilities are derived from industry best practices.

One of the major distinguishing factors of the DOD’s Cybersecurity Maturity Model Certification is that it goes beyond a set of requirements and incorporates a formal certification program. Contractors seeking certification at any of the five levels must engage with a qualified assessor and obtain a formal certification of compliance that will be made available to DOD contracting officials.

Mike Chapple, University of Notre Dame