From May to July, DAU is offering a series of CMMC webcasts to provide information about the new cybersecurity model and create an open forum for the acquisition community to exchange best practices and lessons learned as they implement this new policy. As it turns out, this is a popular topic -- more than 700 viewers tuned in for the first webcast May 13.
“The strength of DAU is that it provides a conduit between government, academia, and industry and the webcast provided a forum for stakeholders, customers, and students to exchange ideas about CMMC," event host Christopher Newborn, a DAU professor of Information Technology (Cybersecurity Emphasis), said.
In the first webcast in this series, Newborn focused on the contrast between the additional roles and responsibilities required by CMMC with those currently required by the Defense Federal Acquisition Regulation Supplement (DFARS, Clause 252.204-7012) and the National Institute of Standards and Technology (NIST SP 800-171 v1.1) basic, medium, and high assessments. He also discussed the complexities of protecting DoD’s unclassified information, including a host of related policies, threat tiers, CMMC framework and levels.
Since 2013, DFARS has required contractors to safeguard controlled unclassified information (CUI) in their systems, report cyber incidents, and include the same requirements in their sub-contracts. “It’s important to know that CMMC is additive and builds on existing DFARS and NIST requirements,” Newborn said.
“CMMC is the future process where acquisition is headed,” he said. "...The [Defense Industrial Base] that includes prime, sub, and manufacturers must first meet DFARS and NIST guidance as a baseline before they pivot to meeting CMMC requirements.”
With the CMMC, program offices and procuring activities must identify all Federal contract information in addition to CUI data in requests for proposals and information, contracts, task and delivery orders. The key to identification lies with their development of security classification guides.
Newborn also discussed the CMMC Accreditation Body (CMMC-AB). Activated in January 2020, the non-profit operates under a memorandum of agreement with Department of Defense. Because the CMMC eliminates vendor self-certification of compliance, certified third-party assessment organizations, or C3PAOs that have been licensed by the CMMC-AB, must assess and verify vendors. Recently, the CMMC-AB released an initial structure for the selection process of third-party assessors. The AB’s goal is to start registering C3PAOs by June and to begin provisional training of assessors by July.
“DoD’s deployment schedule expects to select 15 procurement activities in FY 20 that will be awarded in FY 21,” Newborn said, adding that lessons learned from those procurements will inform the CMMC-AB’s implementation guide.
During the next CMMC webcast on May 19, 2020, Newborn plans to discuss how covered defense information (CDI) is out and CUI is in.
This series is just the latest in DAU's efforts to provide the Defense Acquisition Workforce with critical information on protecting critical DoD information through town halls and workshop across the country. For more information on CMMC or to schedule a CMMC workshop in your area, please contact Mr. Newborn at firstname.lastname@example.org.
DAU’s CMMC Webcast Series
May 26, 2020: DoD Assessment Methodology Tool Implementation (NIST 800-171 v1.1)
June 3, 2020: Request for Information/Proposal (RFI/RFP) Contract Strategy Considerations to Implement the CMMC
July 29, 2020: Methodology for Selection of CMMC Levels (I, III, and III+)
Required fields marked with *
Please note that you should expect to receive a response from our team, regarding your inquiry, within 2 business days.