CMMC Training Guides to Emerge in March

The phased approach to rolling out the Defense Department’s cybersecurity maturity model certification (CMMC) is accelerating with the department’s issuance of training guides late next month, said a department official. Stacy S. Bostjanick, director of CMMC policy, Office of the Undersecretary of Defense for Acquisition and Sustainment, recently described how that and other steps are part of the foundation for the five-year effort.

Speaking at an AFCEA NOVA Chapter luncheon, Bostjanick described how the CMMC will begin rolling out 15 practices in 2020-21, followed by 75 in 2022, 250 in 2023, 479 in 2024 and another 479 in 2025. The progressive program will increase complexity with higher levels of certification.

The training guides will tell companies what they have to do to meet certification requirements, Bostjanick said. Ultimately, it will be up to them to meet those standards and qualify for certification. “As long as you go through that and you’re honest about yourself, then you ought to be ready for when the auditors show up,” she declared.

She related that of the five levels, Level 1 represents standard Defense Department security entailing basic cyber hygiene. Level 2 is an intermediate step, while Level 3 involves controlled unclassified information. Levels 4 and 5 are more exquisite, Bostjanick stated.

She emphasized that CMMC will not apply to commercial off-the-shelf products, but any company doing business with the Defense Department will have to have at least a Level 1 certification. Bostjanick added that many other government agencies are watching how the department rolls out CMMC with the idea of adopting it. Internationally, countries such as Canada, England, Italy, Singapore and Sweden also are thinking of adopting it.