Defense Acquisitions: DOD's Cybersecurity Maturity Model Certification Framework [December 18, 2020] [open pdf - 1MB]
From the Introduction: "In recent years, cybersecurity threats and attacks have become a key issue for the Department of Defense (DOD). At present an estimated 300,000 companies supply products and services to the nation's defense industrial base (DIB). Concerns have been raised that some of these U.S. military contractors may pose a substantial cybersecurity risk because they currently operate with limited oversight of their internal cybersecurity controls. One effort to address cybersecurity attacks and the associated economic and national security costs to the DOD supply chain is the department's ongoing work to implement its Cybersecurity Maturity Model Certification (CMMC) framework. This initiative is designed to provide a scalable cybersecurity standard for the full spectrum of defense acquisitions. Once fully implemented, with a current target date of fiscal year (FY) 2026, the framework would require all DOD prime contractors and subcontractors to receive verification through accredited third-party certification organizations that an individual organization's internal cybersecurity practices and processes meet certain standards. This report offers an overview and analysis of issues for Congress associated with the CMMC framework. This report also discusses congressional considerations related to the Defense Department's efforts to mitigate cybersecurity risks and vulnerabilities within the DIB in the performance of DOD's government contract work."
CRS Report for Congress, R46643
Congressional Research Service: https://crsreports.congress.gov/