top of page
  • Writer's pictureJoshua Duvall

DoD Publishes Draft CMMC v0.4

Yesterday, the Department of Defense (DoD) published its Cybersecurity Maturity Model Certification (CMMC) Draft Version 0.4 (dated August 30, 2019). [1]

As many government contractors are aware, DoD is creating the CMMC to help shore up defense industrial base cybersecurity by way of third-party audits of contractor information systems regarding NIST SP 800-171 compliance. Defense contractors are obligated to implement the NIST SP 800-171 controls to protect covered defense information in DoD contracts subject to the DFARS 252.204-7012 clause.

Briefly, under NIST SP 800-171, the security requirements are organized into “14 families,” including basic and derived requirements for each family. In total, the 14 families provide 110 distinct security controls, which are generally tied to a contractor’s cybersecurity policies, processes, procedures, and technology configurations.

On first glance, the draft CMMC appears to go beyond the NIST SP 800-171 requirements, as it also incorporates controls/frameworks from the Center for Internet Studies (CIS) and CERT Resilience Management Model (RMM), among others. Indeed, unlike NIST SP 800-171's "14 families," the CMMC is currently broken down into 18 domains. To fully comply with NIST SP 800-171 controls, contractors would need to be certified at CMMC Level 3. For more general details, see the Overview Briefing Slides (linked below).

DoD is currently requesting feedback on Draft CMMC v0.4 (comments due September 25, 2019 by 5:00PM), with hopes of providing a Draft CMMC v0.6 in November 2019. DoD anticipates a final version of the CMMC to be released sometime in January 2020, with the CMMC to be included in RFP's in Fall 2020.

Draft CMMC, Comment Matrix, and Overview Briefing:

. . .

[1] See Nicole Ogrysko, DoD unveils new cybersecurity certification model for contractors, Federal News Network (Sept. 5, 2019), available at

Thanks for subscribing!

bottom of page