The U.S. Department of Defense’s proposed rule for the “Cybersecurity Maturity Model Certification” program, which has been years in the making, is close to becoming a reality.

The DOD describes certification as a new “assessment mechanism” designed to ensure defense contractors and subcontractors are compliant with information–protection requirements as they pertain to cyber threats.

So, organizations planning to do business with the DOD will be required to achieve the certification before receiving contract awards, or risk forfeiture of those opportunities.

The CMMC credential is generically what the ISO Standards are for quality.

Additionally, CMMC aligns with the cybersecurity requirements described in the National Institute of Standards and Technology (NIST) Special Publication 800–171.

The DOD already requires many contractors to comply with NIST 800–171, a set of cybersecurity practices to safeguard sensitive information. CMMC is a formal assessment evaluating an organization’s compliance with NIST 800–171.

Now is the time for businesses that bid on DOD contracts to prepare for the CMMC.

“The CMMC rule was published in the ‘Federal Register’ Dec. 26, 2023,” said businessman Fernando Machado, managing principal and chief information security officer at Cybersec Investments LLC in Melbourne. “It’s the next formal step in making CMMC a requirement.”

“There is a 60–day period for those in the industry who want to make comments on the rule. At the end of the 60 days, Feb. 26, the DOD will take the comments and begin judicating them. Then later the rule is expected to go live. No date has been announced, but the government is aiming for fall of this year, or it could be early next year. Businesses in the DOD sector need to get ready now,” he added.

The Federal Register is the official daily publication for rules, proposed rules, and notices of federal agencies and organizations, as well as executive orders and other presidential documents.

Once the open questions are answered, there will be a clear path forward regarding scope, requirements, and timelines for when CMMC will be incorporated into government contracts, he said.

Government contractors and subcontractors will have to go through a third–party validator to show they are protecting the DOD’s sensitive information.

Cybersec Investments is a “Third Party Assessment Organization,” or C3PAO, accredited by CyberAB, formally known as the CMMC Accreditation Body.

Machado’s company, which he founded five years ago, provides a range of services including CMMC audit–readiness assessments, consulting to address compliance gaps, or official certification.

“We were the first and still are the only authorized C3PAO on Florida’s East Coast,” he said, adding that his company is gearing up to host a CMMC conference in Orlando.

The CMMC is designed to fortify the defense sector’s cybersecurity infrastructure, ensuring that Defense Industrial Base (DIB) members are equipped to guard against evolving cyber threats, as it pertains to defense-related information.

The Council of Economic Advisors has estimated that malicious cyber activity costs the U.S. economy more than $100 billion annually. A Rand Corp. report estimated the annual cost to be $250 billion every year. Aside from the dollar loss and job loss, these breaches erode trust in key institutions.

The DIB is the target of increasingly frequent and complex cyberattacks. The DIB encompasses more than 200,000 companies around the nation, many of which are small businesses.

“The third–party certification is specifically for defense contractors handling either federal contract information or controlled and unclassified information,” said Machado, a U.S. Army veteran who earned his bachelor’s degree in information systems security from the University of Phoenix and worked for Raytheon in Arizona.

Machado served in the Army from 2001 to 2004. He was with the 3rd Infantry Division. His division was involved with the Battle of Baghdad in early April 2003, as part of the second Persian Gulf War.

He worked in his field for 10 years before becoming an entrepreneur. Machado worked with customers such as the U.S. Army and U.S. Air Force.

In 2018, he and his wife Nicole moved to Melbourne from Arizona and started Cybersec Investments. She is the firm’s director of client engagement. Fernando Machado grew up in Miami.

To fine–tune its operation, the husband–and–wife team worked with the Small Business Development Center at the University of Central Florida and its Procurement Technical Assistance Center. “They were of great assistance in many areas,” he said.

Now he is using his knowledge to help colleagues in the industry learn more about implementing NIST 800–171 and preparing for CMMC conformity. Machado, teaming with U.S. Air Force veteran Matthew Titcombe, founded the “Controlled Unclassified Information Conference,” or CUI–CON.

Machado and Titcombe, who runs Peak InfoSec in Colorado, have worked in the CMMC ecosystem since the original draft documentation was being developed by the DOD and CyberAB.

Both received the President’s Volunteer Service Award for providing their expertise and time with CyberAB, and were recognized by the White House.

In 2003, the President’s Council on Service and Civic Participation founded the President’s Volunteer Service Award to single out the important role of volunteers. The two were active members of the CMMC Accreditation Body’s Standards Management Committee Industry Work Group, which helped develop guidance on CMMC’s assessment criteria.

The Industry Work Group tallied 17,432 volunteer hours. This led to CMMC’s accreditation body to formally recognize the Industry Work Group’s efforts by presenting them the President’s Volunteer Service Award.

Machado and Titcombe and a roster of experts in the field will be sharing their knowledge at the second CUI–CON, which is set for Thursday and Friday, Feb. 22–23, at The Celeste Hotel, a Marriott brand, on North Alafaya Trail in Orlando.

To register for this event, visit https://cui–con/registration. This is a working conference focused on helping organizations seeking CMMC compliance.

“We put on the inaugural CUI–CON last year at a hotel in Melbourne Beach and it was a success,” said Machado. “And for this year’s event, we already have more than 100 registrations. Last year’s event was sold out. We had about 150 registrants. People will also be coming from out of state to attend the 2024 CUI–CON. We will have a range of speakers from different industries. For instance, attorneys who deal with government contracts will talk about the legal responsibilities of DOD contractors. We will have a CP3AO panel, and much more.”

The keynote speakers will include Matt Travis. His presentation at 12:30 p.m. on Friday is titled “CMMC Ecosystem.” He is the first CEO of the Cyber Accreditation Body, CyberAB. Travis served as the first deputy director of the Cybersecurity and Infrastructure Security Agency, the nation’s leading civilian cybersecurity agency. There he oversaw the daily operations of the more than $2 billion organization with 2,000 employees. Before that, Travis was the deputy undersecretary for national protection with the U.S. Department of Homeland Security.

A former naval officer, he served a tour as White House liaison to the Secretary of the Navy. He is a 1991 graduate of the University of Notre Dame and holds a master’s degree in national security studies from Georgetown University.

James Goepel, general counsel and director of education and content at FutureFeed.com, will address attendees at 8:30 a.m. on Thursday. He will talk about “DIB (Defense Industrial Base) Security.”

He has spent most of his professional career working in the cybersecurity field. Goepel has worked and counseled a range of organizations, from various portions of the government, including the U.S. House of Representatives and the U.S. Coast Guard, to contractors such as Unisys Corp., and The Johns Hopkins University Applied Physics Laboratory. He has also counseled startup technology and consulting entities.

Carter Schoenberg, vice president of cybersecurity and chief cybersecurity officer at Soundway Consulting Inc., will make a presentation on “Supply Chain Compliance and CMMC.” His talk is set for 10:30 a.m. on Thursday.

He has nearly 30 years’ experience in cyber threat intelligence, cybersecurity, cyber risk management, and cyber law. His work has included comprehensive assessments of U.S. government contractors to align with what are now formal requirements set forth by the DOD, including NIST 800–71, and the CMMC.

Machado himself will be speaking at 4 p.m. on Thursday at CUI–CON. His presentation is on “Pitfalls to Avoid.” He will also do the “End of Day Wrap Up,” following his talk.

The DOD plans to implement the CMMC program in four phases, a tiered model, depending on the type and sensitivity of the information, said Machado.

Phase one will begin on the effective date of DOD’s final rule. During phase one, CMMC Level 1 or Level 2 self–assessments become a condition for contract awards.

This means that contractors must self–assess their compliance with the cybersecurity requirements of Level 1 or 2, whichever level is applicable to the contract. The DOD may also include third–party CMMC Level 2 assessment requirements in certain contracts at its discretion.

Roughly 80,000 government contractors are expected to seek CMMC Level 2 compliance, according to the DOD. Machado said while businesses are waiting for CMMC to officially take hold, the DOD has rolled out Joint Surveillance Voluntary Assessment Program. It is a pilot program for CMMC that is being executed before rulemaking finishes.

“If a contractor wants to volunteer to be assessed, a C3PAO assessment team, like Cybersec Investments, and members of the Defense Contract Management Agency will jointly conduct the assessment. At CUI–CON, we will have assessors there that can do this.”

Machado added, “We’re excited about this conference. The presenters will provide a lot of important information about the new certification program that safeguards the information that supports and enables our military. We’re looking forward to the CUI–CON event.”