What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) was created by the Department of Defense (DoD) in order to put a cybersecurity assessment model and certification program in place. The CMMC is a unified standard for implementing cybersecurity across the defense industrial base.
Contractors used to be responsible for implementing and monitoring the security of their information systems. While they are still responsible, the CMMC changes these standards and requires third-party assessments of contractors’ compliance with certain mandatory practices, procedures and capabilities that can adapt to new and evolving cyber threats and adversaries.
Who does it apply to?
The initial requirements of the CMMC were released in January of 2020. The first to adopt were a small selection of organizations. Eventually, all DoD contractors will be required to obtain a certification, including all suppliers at all tiers along the supply chain, commercial item contractors, small businesses, and foreign suppliers.
It is noted that it may be as early as June of 2020 that the DoD begins to include minimum certification requirements in requests for information and September of 2020 for requests of proposals. It is important that certification preparation begins immediately.
Levels of compliance (1-5)
The levels of compliance act as building blocks, ensuring with each level advancement, the prior levels are also in practice.
Level 1: Basic Cyber Hygiene – Performed
Requires companies to use antivirus software or ensure employees change passwords regularly to protect any Federal Contract Information, or information generated for the Government under a contract.
Level 2: Intermediate Cyber Hygiene – Documented
Requires that companies document processes including SOPs, policies, and strategic plans in order to protect any Controlled Unclassified Information (CUI).
Level 3: Good Cyber Hygiene – Managed
Requires a company to have an institutionalized management plan to safeguard CUI. This includes all the NIST 800- 171 r2 security requirements as well as additional standards.
Level 4: Proactive – Reviewed
Requires companies to implement processes for reviewing and measuring the effectiveness of practices as well as have addition practices detect and respond to advanced persistent threats.
Level 5: Advanced/Progressive – Optimized
Standardized and optimized processes are required to be in place. APTs are required to be detected and must be responded to at this level. These processes must be implemented company wide.
This is only the beginning of a shift in our industry’s culture revolving surrounding the topic of internal cybersecurity. All DoD contractors are advised to learn the CMMC’s requirements and plan for certifications. To help DoD contractors prepare, we are offering a FREE initial assessment to determine gaps in your CMMC readiness. Contact us to ensure you have what you need to succeed. Our cybersecurity experts will start you on the path to full compliance, today.