Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC)
CMMC is a DoD certification process to measure a company’s ability to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC combines cybersecurity standards and maps these best practices and processes to maturity levels, from basic cyber hygiene to advanced/progressive.
All DoD contractors and subcontractors, except subcontractors that solely provide Commercial-off-the-Shelf (COTS) items, will have their cyber acumen scored on a scale of 1 to 5. The Department of Defense will use the same scale to stipulate in solicitations the CMMC level required.
A CMMC Accreditation Body -- a neutral third party that will maintain the standard for DoD –- was established to train and verify third-party cybersecurity certifiers who will conduct audits. Additional information regarding the CMMC Accreditation Body is available at https://www.cmmcab.org/.
DoD contractors and subcontractors must be audited and scored.
CMMC will be included in RFIs starting in Summer 2020
CMMC will be included in RFPs starting in Fall 2020
Certification of cybersecurity compliance will be required for suppliers to do business with GDIT and the U.S. DoD, unless the supplier solely provides COTS items. Certification of cybersecurity compliance is led by the Office of Under Secretary of Defense for Acquisition and Sustainment, and CMMC scores will be tracked by the DoD. Again, all companies will require a CMMC rating from 1 to 5 (except COTS suppliers), and DoD solicitations may restrict the use of suppliers below a specified CMMC level. In order for a supplier to process, store or transmit CUI, it must be certified at least at CMMC level 3.
Suppliers will be responsible for sourcing, conducting and reporting their CMMC audits via accredited third-party entities. The CMMC Accreditation Body is developing the process for certifications. Refer to the “Organizations Seeking Certification” section of the CMMC Accreditation Body site for additional information.
The applicable flow-down clauses are included in General Dynamics Information Technology terms and conditions for its Suppliers.
Reporting a Cybersecurity Incident
In accordance with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, Suppliers are required to rapidly report cyber incidents within 72 hours of discovery to the GDIT SOC Hotline number 1-571-386-3500, and directly to Department of Defense (DoD) at https://dibnet.dod.mil/portal/intranet/. This includes providing the incident report number, automatically assigned by DoD, to General Dynamics Information Technology as soon as practical.
Achieving Cybersecurity Compliance – Other Helpful Cybersecurity References