Cybersecurity Maturity Model Certification: What Suppliers Need to Know

October 2019 --

Lockheed Martin is leading efforts, in coordination with our U.S. Defense Industrial Base (DIB) partners, to work with the U.S. Department of Defense (DoD) to increase the cybersecurity posture within the multi-tier supply chain, to include extensive collaboration on the Cybersecurity Maturity Model Certification (CMMC) initiative.

What is the CMMC?

The CMMC will be a new requirement for existing U.S. DoD contractors, replacing the self-attestation model and moving towards third party certification.

The U.S. DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the U.S. Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on contractor / subcontractor networks.

The certification will be built on existing requirements such as NIST SP 800-171, NIST SP 800-53, AIA NAS9933, private sector contributions, and input from academia. The CMMC will consist of 5 levels to measure the cybersecurity practices of contractors.

When will CMMC be required?

The CMMC is currently in draft, with iterative updates planned for incorporating stakeholder feedback. CMMC version 1.0 release is planned for January 2020. The CMMC will be included in Requests for Information (RFI’s) starting June 2020 and included in Requests for Proposals (RFP’s) starting in September 2020.

What can suppliers do to prepare?

As noted, much of the CMMC assessment model will be based on NIST 800-171 controls. Make a concerted effort to understand and complete any outstanding implementations of policy and/or technical controls.

Understand and keep current with the status of the CMMC by frequently visiting the OUSD CMMC website; an updated version is targeted for November 2019 release. Provide your feedback to the CMMC directly or via industry associations with which you are affiliated (e.g. AIA, ND-ISAC, NDIA, etc.).

Ensure your suppliers who handle CUI are informed of the CMMC and that they are also addressing any outstanding NIST 800-171 requirements/POAM items.

The CMMC is still a work in progress and Lockheed Martin is playing an active role collaborating with the CMMC sponsors and developers. In addition to the resources listed, you may also find related information by using the Lockheed Martin Cybersecurity Home button below. If your company handles CUI in the performance of contracts with Lockheed Martin please contact your Lockheed Martin procurement representative for a copy of the supplier memo.

Additional Resources: