With 30+ years of IT security and compliance expertise under his belt, our Chief Security Officer Michael Ngo has been hard at work ensuring the security and compliance of ORock’s Infrastructure as a Service (IaaS) and cloud offerings. Prior to joining ORock, Michael was the Chief Operating Officer for the Joint Force Headquarters Department of Defense Information Networks (JFHQ-DODIN) at Fort Meade, Maryland. Over his career, Michael has directed worldwide network operations and cyber defense for large scale organizations of over 7 million systems, on 15,000 separate networks, across various security domains.
We sat down with Michael to learn about the Cybersecurity Maturity Model Certification (CMMC), discuss the latest changes released by the U.S. Department of Defense (DoD) and what they mean to defense contractors. Below is Michael’s perspective on how organizations can be ready to comply with the latest CMMC framework.
What is the Cybersecurity Maturity Model Certification?
The CMMC was rolled out in January 2020 as a means of ensuring businesses prioritize network security as much as safety and quality. Unlike previous regulations that also incorporated cybersecurity aspects, CMMC was explicitly designed to measure the cycbersecurity maturity level and align processes and practices with the type and sensitivity of the information that is to be protected.
Why is the CMMC important?
Initiated by the DoD, CMMC is a framework designed to measure cybersecurity maturity levels with the primary goal to improve and ensure the safeguarding of sensitive data, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) associated with federal contractors. The framework will align processes and practices with the type of sensitivity for the information they are responsible for protecting.
Can you provide some background leading up to the impact of CMMC for all government contractors?
The creation of CMMC was announced by the DoD in 2019 to transition from a mechanism of self-attestation of an organization’s basic cyber hygiene, which was used to govern the Defense Industrial Base (DIB). Since 2017, all defense contractors were required to self-assess and report cybersecurity readiness against the NIST SP 800-171 standard.
CMMC was initially intended to put an end to self-assessment, requiring a third-party assessor to verify the cybersecurity maturation level. Next, an interim rule authorizing the inclusion of CMMC in procurement contracts, Defense Federal Acquisition Regulation Supplement (DFARS), was published on September 29, 2020, with an effective date of November 30, 2020. The CMMC Accreditation Board and the DoD released an updated timeline on December 8, 2020 that specified the model would be implemented by September 2021.
On December 31, 2020, the GSA noted that while CMMC currently applies only to the DoD, all government contractors, civilian or military, should prepare to meet CMMC requirements.
What are the recent changes to the CMMC?
On November 4, 2021, the DoD announced the release of CMMC 2.0, which is designed to streamline 1.0 requirements. In CMMC 1.0, a contractor had to move through five maturity levels ranging from simply performed at Level 1 to optimized at Level 5. With CMMC 2.0, the original five maturity levels have been condensed into three maturity levels, eliminating levels two and four that were originally designed as transition levels. CMMC 1.0 included third-party certification requirements, while CMMC 2.0 will allow for self attestation at Level 1 and only require third-party certification at Level 2 and Level 3. CMMC 2.0 will include an allowance for Plan of Action and Milestones (POA&M).
What do these changes mean to organizations that work for federal agencies?
While the specifics for the CMMC 2.0 are being determined, the CMMC requirement has been temporarily suspended until the detailed requirements for CMMC 2.0 have been finalized through rulemaking. This process may take 9 to 24 months. Until rulemaking formally implements CMMC 2.0, the DIB’s participation in CMMC will be voluntary. What this means is that the timeline requirement to obtain the CMMC credential has been delayed. However, the requirement ultimately remains and the DoD will continue to encourage the DIB sector to enhance their cybersecurity posture during the interim period.
How can organizations benefit from the CMMC 2.0?
CMMC 2.0 will be a comprehensive framework to protect the DIB from increasingly frequent, complex cyberattacks. With the streamlined requirements, CMMC 2.0 is expected to cut red tape for small and medium-sized businesses, set priorities for protecting DoD information and reinforce cooperation between the DoD and industry in addressing evolving cyber threats.
Michael Ngo
Chief Security Officer, ORock Technologies
