In response to the increasing trend of cyber threats, the Department of Defense (DoD) recently implemented a new cybersecurity standard for contractors who work with the US Military Services in order to be assured that its vendors are adequately securing their confidential data. In one of the biggest-ever changes to Defense contracting, the Cybersecurity Maturity Model Certification or CMMC now requires contractors to go through five tiers of network security controls that will need to be checked by third-party assessors. Getting a CMMC Assessment will now be an added cost that contractors in the Defense sector have to bear and only those who provide commercial off-the-shelf products or services will be exempt.
The Cybersecurity Maturity Model Certification combines certifications into a unified cybersecurity standard and will assess the maturity of an organization’s cyber risk mitigation practices. Defense Industrial Base (DIB) partners as well as contractors are required to meet the DoD’s new CMMC guidelines to bid on future projects.
How did the change in CMMC requirements come about?
The USA loses a whopping USD 6 Billion a year to adversaries due to exfiltration, data rights, and R&D losses. With robust cybersecurity protocols in place, the loss may be reduced by 10% or more, money better utilized by reinvesting in partners in the industrial base to give the country a competitive edge. In other words, the changes in requirements are a reflection of the Pentagon’s endeavors to protect defense industrial base networks and control unclassified information from cyber attacks.
What do the CMMC rules entail?
CMMC rules will require contractors to be certified by third-party auditors to ensure that companies are adhering to certain standards. Organizations will be required to meet different levels of security, with level one being the lowest (basic cyber hygiene) and level five being the most stringent (proactive and advanced cyber practices). Each level consists of practices and processes that a contractor must follow if he wishes to achieve that level of certification.
The five levels correlate to the following:
- Level 1 – Safeguard Federal Contract Information (FCI)
- Level 2 – Serve as a transition step in cybersecurity maturity progression to protect CUI
- Level 3 – Protect Uncontrolled, Unclassified Information (CUI)
- Level 4 and 5 – Protect CUI and reduce the risk of Advanced Persistent Threats (APTs)
To adequately prepare, an organization will need to do the following:
- Do Readiness Assessment and Gap Analysis
- Create a Remediation Plan
- Monitor and Report on findings
- Prepare a System Security Plan (SSP)
How SureShield Can Help
SureShield software can be utilized to streamline all the above processes. The solution can be used to conduct a readiness assessment and gap analysis based on the CMMC framework, identify gaps, and provide a remediation plan with associated reporting and output the System Security Plan that will be required for certification. Next, we help you secure and prove to the CMMC Auditor that all key risks are understood and effectively managed by establishing a methodology to conduct a risk assessment. Lastly, we build and execute a risk mitigation plan to help you get your CMMC certification by fixing gaps that need to be addressed for you to implement an actionable Risk Treatment Plan.