In a bid to protect the defense industry from cyber threats, the DoD has introduced new cybersecurity mandates. Following the release of the Defense Acquisition Federal Regulation Supplement (DFARS) in 2015, additional mandates are due to come into force within months.
The Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification, or CMMC, is designed to ensure that all DoD contractors are fully compliant with the requirements of DFARS. According to DFARS, DoD contractors must ensure that their cybersecurity protocols meet the standards of the NIST SP 800-171 cybersecurity framework.
The CMMC model essentially assesses a company’s cybersecurity maturity levels. If a contractor has only recently adopted cybersecurity principles, for example, they may achieve the lowest level of Cybersecurity Maturity Model Certification. Conversely, companies who have implemented an advanced framework of cybersecurity measures, they will attain a higher level of CMMC.
Why is CMMC being developed?
The Department of Defense attempted to implement a baseline of cybersecurity measures for its contractors with the release of DFARS in 2015. While many contractors did attempt to update their cybersecurity measures to NIST SP 800-171 standards, not all were successful.
As a result, some of the contractors working with the DoD are not compliant with NIST SP 800-171 framework. Due to this, the industry as a whole remains vulnerable to cyberattacks.
By introducing the CMMC, the DoD is increasing the pressure on DoD contractors to implement stricter and more advanced cybersecurity measures. As well as including the NIST SP 800-171 standards under the CMMC, additional standards will be enforced in time. This means that the CMMC will take a comprehensive approach to the security requirements of DoD contractors and evolve as new threats emerge.
Once a company has been audited in accordance with the CMMC, their compliance can be confirmed, and their maturity level ascertained. The DoD will then use this information when choosing which companies it wants to continue working with. Ultimately, all organizations which supply products or services to the DoD will need to pass a CMMC audit and be deemed compliant in order to retain their contract or enter a new one.
Failure to pass a CMMC audit will mean that companies are unable to hold contracts with the DoD. As a result, organizations must implement more effective in-house cybersecurity measures and ensure they are in keeping with the standards required by the DoD if they want to continue doing business with them.
When will CMMC audits start?
Third-party certifiers are already being trained in CMMC standards and companies can expect audits to start in early 2020. To ensure firms are ready for the audits, many are choosing to undergo voluntary assessments to gauge their current compliance and maturity levels. This will enable them to identify potential gaps in their in-house systems and rectify them prior to the CMMC audit taking place. Contractors will need to be CMMC certified by late 2020 in order to be able to bid on Requests for Proposals, so it’s vital that companies take action as soon as possible to avoid any business disruption.