The world of cybersecurity continues to be at threat from a variety of different angles.
From data breaches that expose consumer information to ransomware and other malware that can take down entire systems, the need for proper cybersecurity protocols has never been greater.
To fight back against the current and emerging digital threats, The U.S. Department of Defense (DoD) is aware of this threat and has taken steps to mitigate it by introducing the Cybersecurity Maturity Model Certification (CMMC) 2.0.
The CMMC requires any contractor or business that partners with the DoD to obtain a certification to take the appropriate steps to safeguard Controlled Unclassified Information (CUI). The hope is that these steps will better protect the DoD supply chain - and those who work with the DoD - from cyber threats.
What does the CMMC mean for your business? Read on to learn more about the CMMC and what you can do to ensure your business is compliant.
What is the Cybersecurity Maturity Model Certification (CMMC) 2.0?
The CMMC model was created to raise the overall cybersecurity posture of defense contractors and other businesses that work with the DoD. The model does this by standardizing cybersecurity practices across the supply chain.
The CMMC is a three-level certification, with each level corresponding to a specific set of cybersecurity practices that contractors and businesses must adhere to in order to do business with the DoD.
Level 1 is the basic, foundational level, while Level 5 is the most comprehensive and stringent. All contractors and businesses doing business with the DoD will eventually have to obtain a CMMC certification.
What are the five levels of the Cybersecurity Maturity Model Certification (CMMC) 2.0?
The five levels of the CMMC are as follows:
Level 1: “Foundational”
The first level of CMMC 2.0 compliance requires contractors to implement 17 controls of NIST 800-171 rev1. This is the most basic level for compliance.
Level 2: “Advanced”
Under the second level, DoD contracted entities must adhere to and implement 110 controls of NIST 800-171 rev2. These may include may include CUI (non-prioritized acquisitions) and CUI (prioritized acquisitions) as part of this compliance level.
Level 3: “Expert”
The final level of CMMC is Level 3, known as "Expert" cybersecurity. This level requires contractors to successfully implement both previous levels of the CMMC certification including more than 110 practices based on SP 800-172 and is the highest level.
What Are The Controls in NIST?
As each level is determined by the specific controls that must be adhered to, it’s important to understand what these controls are.
The National Institute of Standards and Technology (NIST) is a non-regulatory agency within the United States Department of Commerce that publishes standards and guidelines related to cybersecurity. NIST 800-171 contains a set of recommended security controls for protecting Controlled Unclassified Information (CUI).
The controls that NIST require contractors to adhere to include a variety of areas, such as:
- Access Control (AC)
- Incident Response (IR)
- Risk Management (RM)
- Security Assessment (CA)
- Situational Awareness (SA)
- Audit and Accountability (AU)
- Personnel Security (PS)
- System and Information Integrity (SI)
- Identification and Authentication (IA)
These controls ensure that businesses and contractors have a comprehensive cybersecurity posture that meets the requirements of the CMMC.
What should you do to prepare for Cybersecurity Maturity Model Certification (CMMC)?
If your business works with the DoD, or if you are a defense contractor, it’s important to start preparing for CMMC certification now. The deadline for compliance is 2025, so companies have time to begin work on meeting the requirements.
Here are some steps you can take to start preparing:
1. Learn and Understand the CMMC Requirements
The first step you should take is to learn and understand the CMMC requirements.
This will help you identify the specific controls that your business needs to implement to be compliant. The required controls vary by level, so it’s important to understand which level your business needs to be at.
2. Map Out Your Cybersecurity Controls
Once you know the required controls, you need to map out your current cybersecurity controls. This will help you identify the gaps between where you are and where you need to be to be compliant. You can also see where you are already adhering to the controls listed in NIST 800-171.
3. Implement New Controls as Necessary
If you find that your business needs to implement new controls, start working on doing so. Many of the controls can be implemented through basic cybersecurity measures, such as installing malware protection and firewalls. However, some may require more work, such as implementing a new incident response plan.
4. Get CMMC 2.0 Certified
Once you have implemented the necessary controls, you can start the process of getting CMMC certified. You will need to hire a Certified Third Party Assessment Organization (C3PAO) to assess your compliance level. There are also Managed Security Service Providers (MSSP) throughout the country that can help you to prepare for and achieve CMMC certification.
5. Stay Up-To-Date on Changes
The CMMC is a new standard, which means that it is subject to change. As the DoD updates the requirements, it’s important to stay up-to-date on the changes. This will help you to ensure that your business is always compliant.
Stay Secure Against Future Threats
As cybersecurity continues to take a front-row seat in the business world, it’s important to make sure that your company is prepared. The CMMC is a new requirement for businesses that work with the DoD, and it’s important to start preparing now.
By learning about the requirements and implementing the necessary controls, you can ensure that your business is compliant. Additionally, you can keep your business secure against future threats by staying up-to-date on changes.