New Security Requirements Coming to DOD Acquisition in 2020

Lloyd McCoy Jr.Cyber security network concept. Master key connect virtual networking graphic and blur laptop with flare light effectBy Lloyd McCoy, Market Intelligence Manager

Starting next summer, anyone selling IT to the Department of Defense will need to be certified by the Cybersecurity Maturity Model Certification (CMMC) in order to compete for contracts.

The CMMC is a set of security standards that will start appearing in RFIs in June 2020 and will apply to all defense acquisitions by September. The CMMCs will represent security maturity levels and will have five levels, each with their associated security controls and processes. Level 1 will likely be like what we consider basic hygiene, with Level 5 describing the very best in security practices. The level needed will depend on the contract and will be used to determine whether a vendor makes the cut. Details on what each of the levels contain are scant right now but expect more information in the coming months as the Department collects public feedback.

Companies cannot self-certify. Starting in early January, DOD will designate third-party certifiers who will evaluate and issue certifications. Fortunately, DOD is willing to include the cost of getting certified in future contracts. While these changes, are far reaching and fast approaching, companies already compliant with NIST 800-171 and DFARs should be well positioned as it is extremely likely the Department will lean heavily on existing cybersecurity controls and requirements. Once CMMC has been implemented, however, companies who do not meet the certification level specified in the contract will not be eligible for an award. It’s important to note that any subcontractors must be certified to at least Level 1 standards. Primes will be responsible for ensuring those certifications.

Those selling to the government must also make sure they are maintaining CMMC standards during the duration of the contract as the Department wants to make sure the vendor can meet CMMC security standards during the duration contract.

We’ll begin to see more details coming this fall and in January the certification process will begin. It’s also likely that other parts of the government will adopt the CMMC model in coming years, particularly those agencies who work in the national security space. The Department of Defense is a ripe target for cybersecurity attacks and by extension companies who sell into the Department. With access to critical national security data so dispersed, the CMMC is the Department’s attempt to have one cybersecurity standard.
If you sell IT to the Department of Defense, you’ll want to monitor the new security certification requirements as they develop and work to get certified in early 2020.
Keep on top of the most recent trends in government IT. Subscribe to the Government Sales Insider blog.
Plan to attend the 6th Annual Government IT Sales Summit on November 21 in Reston, Virginia. Details here.

About Lloyd McCoy Jr.
Lloyd McCoy is the manager of immixGroup’s Market Intelligence organization, leveraging market analysis and purchasing trends to help immixGroup suppliers and partners shorten their sales cycles. He has a M.S. in Strategic Intelligence from the National Intelligence University, a M.A. in Public Policy and a B.A. in Political Science, both from the University of Maryland. Prior to joining immixGroup, Lloyd was a senior analyst in the Intelligence Community for eight years, serving in a variety of senior analytic and project management positions in the U.S. and abroad.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: