The United States Department of Defense (DoD) announced that defense contractors will have to meet a basic level of cybersecurity standards when replying to a government acquisition program's request for proposals by 2026.

The Cybersecurity Maturity Model Certification (CMMC) framework version 1.0 was released on January 31 and it is "a unified cybersecurity standard for future DoD acquisitions."

Cyber requirements for some contractors will appear later this year and, by 2026, all new DoD contracts will come with the new CMMC requirements, DoD's Under Secretary of Defense for Acquisition and Sustainment Ellen M. Lord said.

With the introduction of the CMMC, the DoD wants to enhance the protection of supply chain unclassified information — Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) — by increasing the Defense Industrial Base (DIB) subcontractors' cybersecurity readiness.

Today, Under Secretary of Defense Ellen Lord announced new cybersecurity certification standards for government acquisition. This first DOD cybersecurity certification model will strengthen & secure the defense

industrial base. pic.twitter.com/VRlGxqquBF — Department of Defense (@DeptofDefense) January 31, 2020

The CMMC provides the DoD with a straightforward mechanism designed to make it easier to certify the cyber readiness of the large and small defense contractors using 5 levels of certification that focus on both cybersecurity practices and processes.

Meeting CMMC level 1 requirements will confirm that the DIB contractor is qualified to safeguard FCI, level 3 that it can protect DoD CUI, while levels 4 and 5 shows that it al can reduce risk of Advanced Persistent Threats (APTs).

"Something ... simple in Level 1 would be, 'Does your company have antivirus software? Are you updating your antivirus software? Are you updating your passwords?'" said DoD's chief information security officer for acquisition Katie Arrington explained.

"CMMC Level 1 is the basic cyber hygiene skills we should be doing every day. They are there to protect yourself, your company and your own information."​

Image: DoD

Defense contractors will not be certified for CMMC by the DoD alone, as CMMC "third-party assessment organizations" or C3PAOs will be designated by the department to conduct these assessments once everything is in place.

Cybersecurity risks are threatening the national security of the U.S. government and that of the defense industry, including partners and allies, with an estimated $600 billion equating to 1% of the total global gross domestic product being lost to cyber thieves every year according to a study from McAfee and the Center for Strategic and International Studies.

The DIB sector consists of over 300,000 companies that support the warfighter and contribute towards the research, engineering, development, acquisition, production, delivery, sustainment, and operations of DoD systems, networks, installations, capabilities, and services. The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can undercut U.S. technical advantages and innovation as well as significantly increase risk to national security. - The DoD

"Adversaries know that in today's great-power competition environment, information and technology are both key cornerstones," Lord added. "Attacking a sub-tier supplier is far more appealing than a prime [supplier]."

"We need to make sure our industry partners are prepared to take on the work, and our third-party auditors will ensure that they are implementing the practices that we need in place to secure that national defense and our industrial base," Arrington said.

The CMMC model in tabular form with all practices organized by Domain, Capability, and Level is available here, together with maturity level processes, and process and practice descriptions.