Chip Lilliewood, vice president of government programs and channels with Dun & Bradstreet, and Bill Solms, president of Qomplx, explain the new Cybersecurity Maturity Model Certification (CMMC), issued by the U.S. Department of Defense for all suppliers in the government’s defense industrial base.

The CMMC is a new certification standard that builds on existing DOD criteria for cybersecurity protection by government contractors, mostly in the form of the 800-171 mandates issued by the National Institute of Standards and Technology (NIST). What’s different is the requirement that suppliers must now be audited by a third-party assessment organization. Their own statements of compliance with the rules are no longer sufficient. Third parties must themselves be vetted by DOD’s Accreditation Body, and contractors can choose to be audited by any of the approved entities.

Accreditation is “a rigorous process,” says Lilliewood, involving significant expenditures of time and money on the part of prospective contractors. Through pre-assessment, they can determine where any gaps in their compliance measures might lie. In any case, he says, most contractors are well aware of the requirements they must meet in order to be part of the defense industrial base, no matter how onerous they might seem. The same goes for all subcontractors and third parties involved in the making of any relevant product; they must be individually and directly audited before achieving CMMC.

Red flags for DOD include insufficient security controls over the contractor’s data, including how it’s stored, segregated and managed — “things that make a company vulnerable to outside intrusion, and the ability for classified information to be extracted,” says Solms.

“This is not just a one-and-done process,” says Lilliewood. “It has to become part of continuous modeling, to ensure that risk thresholds are being continuously met.”