Cybersecurity Maturity Model Certification (CMMC) is the DoD’s newest verification system, and it ensures all defense industrial base (DIB) contractors have adequate cybersecurity measures in place. According to the NQA,
“In 2016, the U.S. economy lost between $57 billion and $109 billion due to malicious cyber activity. The loss of Controlled Unclassified Information (CUI) from the defense industrial base poses a risk to national security. So, as cybercrimes continue to evolve, the U.S. Department of Defense has developed new measures to increase security across the defense supply chain — CMMC standards.”
In the DoD’s official press release, a representative explains,
“…cybersecurity risks threaten the defense industry and the national security of the U.S. government, as well as its allies and partners. About $600 billion, or 1% of the global gross domestic product, is lost through cyber theft each year.”
Before CMMC was introduced to the DIB sector, contractors were solely responsible for the overall security of their information technology systems and any CUI being transmitted on those systems. While contractors are still responsible for meeting cybersecurity requirements, CMMC is now shifting the paradigm with a third-party assessment of their system to validate compliance with certain mandatory practices, procedures, and capabilities.
Anyone who wants to work on a DoD contract needs to have the appropriate Cybersecurity Maturity Model Certification (CMMC) required for the project. According to CSO, this includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors, and foreign suppliers.
Well, according to the Congressional Research Service, the DoD spent 63% of the $507 billion federal government’s contractual obligations in the 2017 fiscal year. The DoD brings in a lot of contract work, so defense contracting can be lucrative for organizations to tap into.
The Office of the Under Secretary of Defense for Acquisition & Sustainment outlines some factors to consider that would require a certification:
To stay current with CMMC compliance information, The Office of the Under Secretary of Defense for Acquisition & Sustainment maintains a CMMC FAQ where contractors can keep up to date on the certification process.
Cyber threats are still real and only getting more sophisticated as technology advances. To mitigate risks as they relate to both the DoD and contractors, the NIST 800-171 was developed in 2003 to provide guidelines on cybersecurity standards. But, even with these standards in place, there was no vehicle to enforce them and ensure contractors were mature enough to protect the DoD’s CUI.
According to the DoD representative, Ellen Lord,
“The CMMC is the DoD’s metric to measure a company’s ability to secure its supply chain from cyber threats, protecting both the company and the department.”
CMMC is that vehicle for the DoD to ensure that NIST 800-171 standards are met. While Level 1 does not require any compliance with NIST 800-171, Levels 2-5 incorporate either some or all practices from NIST 800-171.
Related Article: How CMMC Can Give You A Competitive Edge
In late September 2020, the DoD published the interim rule requiring DoD government contractors to possess at least a basic NIST SP-800-171 DoD Assessment. The assessment can be no more than three years old at the time of the award and is required by November 30th, which means companies need to:
Starting in Q3 of 2020, third-party auditors began applying for authorization to assess compliance with this new requirement. In Q4 of 2020, bidders will go through audits and by 2021 the DoD will be enforcing the CMMC requirement for all its contractors.
With the deadline quickly approaching, organizations are scrambling to get their CMMC certification, so they can continue bidding on DoD contracts. One of the best ways to prepare for CMMC audits is to partner with a managed security service provider (MSSP).
MSSPs are staffed with experienced cybersecurity professionals who keep up with the threat landscape and are uniquely equipped to help organizations navigate new regulations.
Unlike the more familiar NIST 800-171 requirements, CMMC is broken down into five levels of certification that define an organization’s cyber hygiene (defined by Cambridge as ”the practice of protecting online computer information by using special software, choosing strong passwords, etc.”)
Consists of 17 practices and is equivalent to all practices in the Federal Acquisition Regulation (FAR) Clause 52.204-21.
The DoD’s chief information security officer for acquisition, Katie Arrington, explains,
“Something… simple in Level 1 would be, ‘Does your company have antivirus software? Are you updating your antivirus software? Are you updating your passwords? CMMC Level 1 is the basic cyber hygiene skills we should be doing every day. They are there to protect yourself, your company and your own information.”
Consists of 72 practices. Level 2 complies with the FAR Clause 52.204-21, includes a select subset of 48 practices from NIST SP 800-171, and 7 additional practices to support intermediate cyber hygiene
Consists of 130 practices. Level 3 complies with FAR Clause 52.204-21, encompasses all practices from NIST SP 800-171, and 20 additional practices to support good cyber hygiene.
Consists of 156 total practices. Level 4 complies with FAR Clause 52.204-21, encompasses all practices from NIST SP 800-171 and a subset of 11 practices from Draft NIST SP 800-171B, and 15 additional practices to demonstrate proactive cybersecurity practices.
Consists of 171 total practices. Level 5 complies with FAR Clause 52.204-21, encompasses all practices from NIST SP 800-171 and a subset of 4 practices from Draft NIST SP 800-171B, and 11 additional practices to demonstrate advanced cybersecurity practices.
Related Article: Achieving Level 4 CMMC with ARMED™ and Microsoft GCC High
The nature of defense and government-related industries create prime targets for cyber-attacks, breaches, and information and identity theft. That’s why defense contractors trust Conquest Cyber as their MSSP, leveraging our distinctly qualified cybersecurity specialists to meet strict regulations and requirements for CUI, ITAR, CMMC, and DFARS Compliance.
See for yourself how Conquest Cyber helps defense contractors quickly achieve CMMC compliance so teams can focus on high-value government contracts.