The Office of the Under Secretary of Defense for Acquisition & Sustainment has released Version 0.6 (v0.6) of its Cybersecurity Maturity Model Certification (CMMC), the all-new cybersecurity certification program that will require all companies who hold contracts with the DoD to meet defined cybersecurity requirements. The previously released version of the CMMC, v0.4, was open for public comments back in September, and it appears that the DoD took those comments to heart while creating v.06. The new version significantly reduces the size of the CMMC model, modifies the practices and processes, and provides clarifications and examples for CMMC Level 1 practices. This new version only includes Levels 1-3, as the public comments for Levels 4-5 are still being addressed.
So aside from reducing the model size and adding in discussions, what’s new about Version 0.6? Well, to start, they added a table of contents, an introduction, an explanation of the framework, and a guide to reading the model. These may seem like small changes, but the addition of these resources has made for a much more user-friendly and comprehensible model. Here are the main things that stuck out to us with the new version:
The CMMC levels DO stack
It was previously unclear whether or not the CMMC levels would “stack” or build upon each other, but v0.6 states that “To meet a specific CMMC level, an organization must meet the practices and processes within that level and below” and “Not every capability has practices at every level. However, once a practice is introduced, it applies to the level it is in and all higher levels”.
Certifications Aren’t Necessarily Pass/Fail
According to v0.6, for an organization to achieve a certain level, all the practices and processes defined in the levels below it must be achieved. Version 0.6 also says, though, that if an organization is trying to achieve a certain level, and they fail, they can still obtain a lower level if they qualify for it. This is important because it was previously unknown whether or not all certification processes would be pass/fail. Now we know that there may be instances where organizations can at least receive the consolation prize of a lower level instead of walking away completely empty handed. An example from v0.6 is “an organization that scores a Level 3 on practice implementation and a Level 2 on process institutionalization will be assigned a CMMC Level of 2”.
CMMC Accreditation Body Kick-Off Meeting
According to the Office of the Under Secretary of Defense for Acquisition and Sustainment’s website, a kick-off meeting was organized in order to discuss the key topics and requirements associated with forming a CMMC Accreditation Body. This meeting was set for November 19, 2019, from 09:00 AM to 12:00 PM at the NRECA Conference Center in Arlington, Virginia and was hosted by Professional Services Council.
We are excited to see what new developments arise from the kick-off meeting and the next public release which should include Levels 4 and 5 of the CMMC model. While there are more revisions to be made, the new v0.6 of the CMMC model is starting to look like a more refined and complete framework, with significant improvement from v0.4. In the coming months, it is our goal to obtain answers to unanswered questions, seek clarification, and provide feedback that keeps our clients, our fellow contractors, and the public’s best interest in mind.
If you, your organization or company, or someone you know would like more information on cyber compliance or our company, please do not hesitate to reach out to Mission Multiplier at email@example.com.