CMMC: The Looming Cyber-Security Certification that Affects 60,000+ Companies
In 2019, the U. S. Department of Defense (DoD) announced a new security protocol program for contractors called Cybersecurity Maturity Model Certification (CMMC). CMMC is a DoD Certification process that lays out a contractor’s security requirements, and it is estimated that between 60,000-70,000 companies will need to become CMMC compliant in the next 1-3 years.
CMMC is basically a combination and addition to existing regulations in 48 Code of Federal Regulations (CFR) 52.204-21 and the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, and includes practices from National Institute and Technology (NIST) 800-171, the United Kingdoms’ Cyber Essentials, and Australia’s Essential Eight requirements. International Traffic in Arms Regulations (ITAR) will remain a separate certification from CMMC – though companies that are ITAR Compliant will need to adhere to CMMC as well.
CMMC Version 1.0 was released late January 2020. To view the latest CMMC document, visit the CMMC DoD site.
- There are 5 levels of the security maturity process (basic is 1 and most stringent is 5).
- Any company that directly (or even some that indirectly) does business with DoD will adhere to CMMC –and that means direct DoD contractors and high-level CMMC companies’ supply chains must also adhere to, at minimum, base level requirements.
- There is no self-assessment (unlike NIST), and companies need to get certified through a qualified auditing firm.
- DoD will publish all contractor’s certification level requirements.
Is My Business Affected by CMMC?
This is easily answered with a 2-part question: 1) Is your business a direct contractor to the DoD, or 2) does your business do business with a company that is a contractor to the DoD*? If you answered “yes” to question 1, then your business will need to be CMMC compliant. If you answered “yes” to number two, then it is very probable that your company will need to be CMMC compliant.
What are the 5 CMMC Levels?
- Level 1 – “Basic Cyber Hygiene”
- Meet safeguard requirements of 48 CFR 52.204-21
- Companies might be required to provide Federal Contract Information (FCI)
- Level 2 – “Intermediate Cyber Hygiene”
- Risk Management
- Cybersecurity Continuity plan
- User awareness and training
- Standard Operating Procedures (SOP) documented
- Back-Up / Disaster Recovery (BDR)
- Level 3 – “Good Cyber Hygiene”
- Systems Multi-factor Authentication
- Security Compliance with all NIST SP 800-171 Rev 1 Requirements
- Security to defend against Advanced Persistent Threats (APTs)
- Share incident reports if company subject to DFARS 252.204-7012
- Level 4 – “Proactive”
- Network Segmentation
- Detonation Chambers
- Mobile device inclusion
- Use of DLP Technologies
- Adapt security as needed to address changing tactics, techniques, and procedures (TTPs) in use by APTs
- Review & document effectiveness and report to high-level management
- Supply Chain Risk Consideration*
- Level 5 – “Advanced / Progressive”
- 24/7 Security Operations Center (SOC) Operation
- Device authentication
- Cyber maneuver operations
- Organization-wide standardized implementation of security protocols
- Real-time assets tracking
One important thing to note about CMMC is that unlike NIST and other current certifications, CMMC will require certification from an authorized 3rd-party CMMC authorized certification company. Currently, most companies can self-certify for DoD-related securities. EstesGroup is not a CMMC Certification Company, but we can help companies prepare and boost security up to meet new requirements.
For more specifics on CMMC, access the latest DoD’s CMMC Revision.
Learn more about CMMC with “5 Ways EstesGroup Helps with Your CMMC Compliance“