The Department of Defense (DoD) announced in mid-2019 the creation of a new cybersecurity certification program and assessment model. The new program, dubbed the Cybersecurity Maturity Model Certification (CMMC), was unveiled on January 31, 2020, and is expected to be implemented by September 2020.
That is lightning-fast by DoD standards, and it is one of the most significant changes to how the industry works. All contractors seeking to conduct business with the DoD will have to get on board.
The CMMC is a new verification mechanism designed to ensure security for Controlled Unclassified Information (CUI) stored on Defense Industrial Board (DIB) networks.
The new model is based on the best practices of a variety of cybersecurity standards, including ISO 27032, AIA NAS9933, NIST SP 800-171, and NIST 2P 800-53, among others. It is also based on the input of Federally Funded Research and Development Centers, University Affiliated Research Centers, and the military-industrial-complex as a whole.
In the past, the DoD required contractors to ensure the security of their IT systems used to store and transmit sensitive information. Contractors will still be responsible for implementing and monitoring IT security systems under the new CMMC model, but assessment and certification will be conducted by a certified third-party.
Every contractor seeking to conduct business with the DoD, including bidding on contracts and subcontracting to a prime, will need to meet CMMC requirements. This affects all suppliers at different levels on the supply chain. The DoD estimates that more than 300,000 contractors will be affected.
The CMMC bases its evaluation of a contractor's cybersecurity system's reliability and maturity on five certification levels. These certification levels are progressively tiered as they build upon their collective technical requirements. This means that each certification level (starting from Level 2 going upwards) should comply with and satisfy the standards of the level below it.
Following is a brief overview of what each level entails:
This level entails basic cyber hygiene practices. Requirements include basic cybersecurity practices such as changing passwords regularly and using antivirus software to protect Federal Contract Information (FCI).
This level ups the requirements to 'intermediate' cyber hygiene practices. Contractors are required to implement requirements set by the National Institute of Standards and Technology's SP 800-171 Revision 2. These requirements are required for contractors to handle Controlled Unclassified Information (CUI).
Level 3 entails 'good' cyber hygiene practices for contractors to handle CUI information. It requires the implementation of NIST SP 800-171 Revision 2 standards, just like Level 2. It also ups the stakes and includes additional unspecified standards.
Level 4 requires contractors to be well equipped to repel Advanced Persistent Threats (APTs). An APT is not only persistent, as implied, but also more sophisticated than ordinary attacks. These threats are usually launched by resourceful and powerful entities, such as competing nations. As such, contractors should be just as resourceful to repel such attacks.
Contractors are required to implement processes to measure the efficiency of their cybersecurity systems. They should also have a versatile system that reviews their cybersecurity readiness and explores ways to adapt to changing tactics and techniques.
Level 5 ups the stakes on protecting against APTs. Contractors are required to set standardized and optimized cybersecurity practices. The contractors should also actively and continually exploit additional enhanced cybersecurity practices. These practices should be implemented properly across the whole organization and cover third-party associates as well.
Contractors must comply with the new CMMC cybersecurity requirements or sit on the sidelines. So, how do you go about it? Here are some tips to get you started:
We have only touched on the different facets of the new CMMC model in this article. The model covers 17 sections in total, and each section is covered in detail. As such, have your lawyers and relevant professionals study the new model and outline its impacts on your current systems.
You can proceed to plan and prepare for the new model with the relevant information in hand. Assess your current systems and document those that comply with the new CMMC controls. Next, identify practices that are not in compliance with the new requirements and assess what is needed to make them compliant.
The new CMMC model is still new and not as comprehensive as it should be. For example, it does not facilitate a contractor's right to appeal, which the DoD says is under development. As such, it is prudent to be keen on new developments and engage with the DoD and other relevant parties for clarification where necessary.
It will be necessary to engage the DoD and other agencies during the initial phases of CMMC certification. The contractor may lack clear guidelines on how to move forward or hit other setbacks trying to meet CMMC compliance standards. As such, they should review their RFPs and RFIs, including their minimum certification requirements.
Contractors working with the DoD are required to meet some of the CMMC certification requirements as early as June, and everything will move fast after that. Now is the time to prepare if you don't want to get locked out of lucrative deals.
GreyCastle is here to help you meet CMMC requirements. We have a large team of experts, including Certified Technicians and Compliance Officers, with answers to all your questions. Our personnel will assess your current cybersecurity system and measure its level of CMMC compliance. We will also work closely with you to develop custom solutions to make you compliant and earn you a CMMC certification.
We have a decade of experience in cybersecurity, and we help protect over 40% of the American market. We have an intricate understanding of the new CMMC model and have talented professionals with the skills of a certified CMMC auditor.
Give us a call and let us get you on par with the DoD's new Cybersecurity Maturity Model Certification.