Security is foundational to acquisition and should not be traded along with cost, schedule, and performance
CMMC stands for Cybersecurity maturity model certification, and it's a supply chain risk management approach that the department of defense created. Third-party certifiers who have CMMC will have the necessary tools to conduct audits and collect enough information and risk management information for the whole supply chain. When CMMC is implemented across the department of defense, all maturity levels from basic cyber hygiene to advance measures will be processed and should reduce the overall risks that result from cyberthreats.
What You Need To Know About Cybersecurity Maturity Model Certification
The Department of defense made an effort to create CMMC to enhance its cybersecurity strategy and to reduce risks that were hard to control. The drafter version of CMMC is ready and contains five maturity levels. And the department of defense will request the targeted vendors to be certified in January 2020. Vendors will be evaluated based on the requirements of each maturity level in the CMMC by a third-party organization.
The framework of the cybersecurity maturity model certification typically reflects the department of defense's first trial in solving the primary issue, cyberthreats. The available draft version of CMMC is inspired by the UK's Ministry of Defense Cyber Security. But the Department of Defense has also added many of the requirements from NIST's SP 800-171, which basically measures the contract's compliance with the needed set of controls when it comes to cyber security and protecting important data. However, the Department of Defense created the CMMC in order to combine many parts of NIST SP 800-53, ISO 27032, ISO 270001, AIA NAS9933, and other unified standards. The main idea of CMMC is to be a measurement to the maturity of a company’s institutionalization of cybersecurity practices and processes.
Why is CMMC Better?
Right now, it’s mandatory to meet all the necessary requirements of NIST 800-171. However, there are still no available audits to protect CUI. And that’s mainly why the department of defense is creating the CMMC, to guarantee that the contractors will follow all the requirements and will be able to handle sensitive information.
Previous regulations, such as NIST's SP800-171, allowed self-assessment. However, for third-parties to be CMMC certified, they will need to pass certain levels and demonstrations to certifiers in order to guarantee that they can provide the proper control and reduce cyberthreats. The five levels of the cybersecurity maturity model certification allow companies to conduct business based on the level of certification they have. Companies only need to pass the necessary levels of cyber hygiene to be able to reduce the risks of cyberthreats.
The CMMC current version contains five certification tires, and they are:
- CMMC Level 1: Basic Cyber Hygiene. 35 practices.
- CMMC 2: Intermediate Cyber Hygiene. 115 practices.
- CMMC 3: Good Cyber Hygiene. 91 practices.
- CMMC 4: Proactive. 95 practices.
- CMMC 5: Advanced/Progressive. 34 practices.
Just like any organization, governments suffer from data breaches. Recently, the Department of Defense faced a breach in October 2018, which affected 30,000 civilian contractors. These breaches allowed hackers to access private information and credit card details of many civilians, and since then, the DoD realized that they need a better cybersecurity system with more auditing. The issue has become a priority for the federal government, and they have started working on a release of the first version in 2020.