PilieroMazza previously wrote at some length about the Cybersecurity Maturity Model Certification (CMMC), particularly following release of revision (rev.) 0.4 for public comment. The Department of Defense (DoD) has now released rev. 0.6 for public comment and review. Rev. 0.6 incorporates the public comments resulting from review of rev. 0.4 and, pursuant to those comments, has significantly streamlined the requirements present in rev. 0.4.[1] DoD government contractors will need to prepare for the implementation of CMMC in order to use their compliance as a competitive edge.
Rev. 0.4 included 18 domains—that is, categories of cybersecurity capabilities—and rev. 0.6 includes 17. Rev. 0.6 removed the “Cybersecurity Governance” domain and simplified the capabilities within several of the other domains. For example, the “Asset Management” domain contained four capabilities in rev. 0.4:
- identify assets;
- develop a comment definition for assets and their attributes;
- identify asset inventory change criteria; and
- maintain changes to assets and inventory.
Rev. 0.6 condensed those four capabilities into a single capability: identify and document assets. Rev. 0.6 also contains a helpful new appendix that clarifies the requirements for CMMC Level 1 by providing discussion of the existing policies and regulations that inform each capability within this Level, and by providing examples of what real-life implementation may look like.
DoD has indicated that it will further streamline the CMMC, and plans to continue soliciting public comments to assist in that process. DoD is also in the process of organizing a CMMC Accreditation Body, which will provide oversight for CMMC accreditations and assessments and manage third-party assessment organizations.
[1] Rev. 0.6 currently only incorporates the public comments for Levels 1 – 3. In the introduction to this revision, DoD indicates that Levels 4 – 5 have not been included because the comments on those Levels “are still being addressed.”
