On November 7, the U.S. Department of Defense (DoD) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) released Draft Version 0.6 of its Cybersecurity Maturity Model Certification (CMMC) for public comment. According to DoD’s overview briefing, the CMMC was created to provide “a unified cybersecurity standard for DoD acquisitions to reduce exfiltration of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB).” In brief, the CMMC builds upon DFARS 252.204-7012, which generally requires contractors to maintain “adequate security” on all covered contractor information systems and to report any cybersecurity incidents to the DoD Cyber Crime Center (DC3) within 72 hours. The certification process, which will rely on non-government third parties, raises legal and business risks for contracting entities, including the potential for disputes. Whereas DFARS 252.204-7012 relies on contractor self-certification, the CMMC framework will require all government contractors and subcontractors to obtain cybersecurity certification from yet-to-be-created CMMC Third-Party Assessment Organizations (C3PAO) as a prerequisite to performing DoD contracts.1
