What is Cybersecurity Maturity Model Certification (CMMC)?

For defense contractors, now might be the time to start optimizing your security beyond the National Institute of Standards and Technology (NIST) compliance regulations. The new Cybersecurity Maturity Model Certification aims to broaden DoD's assessment regime.

All companies that do business with the DoD will need to implement CMMC. The certification comes at a time when threat attempts on DoD systems are at an all-time high, about hundreds of thousands every day.

What is CMMC?

Cybersecurity Maturity Model Certification is a consolidated cybersecurity standard for everyone that does business with the DoD. This umbrella standard specifically tries to protect Controlled Unclassified Information (CUI) within the supply chain.

The framework is still in the development stage, expected to be unveiled by January 2020
The CMMC cybersecurity framework will combine several cybersecurity standards and the acceptable best standards by DoD stakeholders, universities and federally funded research institutions
The framework will outline these process across different maturity levels from basic to advance
The implementation of these controls in any given CMMC level will help to neutralize against a hybrid set of cyber threats
Cybersecurity Maturity Model Certification requirements will be thorough yet cost effective to implement even for small business

An Outline of the CMMC Framework

A model of the Cybersecurity Maturity Model Certification (PDF) entails 18 domains that are based on the best cybersecurity practices. Each domain is further broken into capabilities and then practices and processes.

Level 1: This part of the CMMC framework is the most basic. It touches on cybersecurity practices feasible for small companies. Your company will need to have resistance against data breaches and some resilience against malicious actions.

Level 2: At this level, you have some form of protection against unskilled actors. You adhere to universally accepted cybersecurity best practices. You have considerable protection against data breach and malicious actions.

Level 3: Your company will need to be NIST SP 800-171 compliant and adopt best practices beyond CUI protection. At this stage, you know your cyber assets. You have also built resilience against moderately skilled threat actors and data breaches.

Level 4: At this level, you abide by sophisticated cybersecurity standards. You have resilience against advanced threat actors and a thorough and continuous knowledge of your cybersecurity assets. Your incidence response is speedy, and your data protections impenetrable.

Level 5: This is the highest CMMC compliance level. Your company employs advanced cybersecurity practices. You have built resilience against advanced threat actors, and your incidence response is at machine speed. You have also developed resistance against data breaches and have autonomous knowledge of cybersecurity assets.

Why is CMMC Important?

The DoD has taken a second look at the NIST security controls enabled by the National Institute of Standards and Technology (NIST) and decided that they don't sufficiently cover all security loopholes. Threats from nation-state actors remain to be a significant concern even with NIST compliant dealings.

Even though it is too early to rate the impact that the Cybersecurity Maturity Model Certification will have on contractors, compliance will be mandatory. CMMC compliance audits might replace those done for NIST SP 800-171. Plenty of engagements and outreach are expected before the first version of the framework is released in January 2020.

At face value, contractors that comply with CMMC standards might be able to do business with the DoD without the risk of suspension or termination of contracts. It isn't far-fetched to imagine that the US government might terminate contracts over CMMC non-compliance.

Furthermore, all new DoD contract RFPs and RFIs will include CMMC compliance as a standard requirement. Moving forward, if your company is not CMMC compliant, you will miss out on new contract opportunities.

Beyond easily landing and maintaining DoD contracts, CMMC compliant companies might be able to:

Reduce their risk of data breaches, the cost for which averaged at $3.62 million per incidence in 2017
Overcome the threats of nation-state actors which made up 23 % of all data breaches in 2019, up from 12% in 2018
Reduce the risk of insider threats
Be deemed compliant with other regulations such as NIST, ISO, HIPAA, FISMA, and SOX

Tips and Reminders for CMMC

All companies and individuals that conduct business with the DoD must be certified
Unlike NIST which measures your compliance with a specific set of controls, CMMC will measure your company's maturity level on the standardization of cybersecurity practices
The assessment of maturity levels will be done on a procurement basis
Lower-level certifications will be by a third party auditor while government auditors will conduct higher-level assessments

8 CMMC Practices to Implement Before January 2020

Conduct cybersecurity awareness and training
Optimize your incidence response
Analyze and communicate threat information
Seek to become NIST SP 800-171 compliant
Evaluate your supply chain risk
Use two-factor authentication
Use data- loss prevention technologies
Carry out regular self-audits

Inadequate security measures not only could mean loss of contracts and losses in business, but it also risks government information. While CMMC is the US Government's effort to strengthen national security, your business can also benefit from it in unprecedented ways.

At Peerless, our team of cybersecurity specialists can help you achieve CMMC compliance faster and cost-effectively. Contact us for a free consultation.

If you would like to learn more about Cybersecurity Maturity Model Certification, be sure to check out our guide. It includes everything you need to know about CMMC in order to get ahead and stay ahead of your competition.

The Complete Guide to Cybersecurity Maturity Model Certification