Cybersecurity isn’t just for businesses.
Government agencies are also under attack and are just as likely to suffer data breaches as any other business. In fact, agencies like the Department of Defense (DoD) are increasingly and specifically targeted.
Last year, for instance, the Defense Information Systems Agency, an arm of the U.S. Department of Defense that handles secure communications and IT for the president and others, confirmed that it experienced a data breach in the middle of 2019. Although the agency revealed little about the incident, a letter was sent to individuals whose personal information such as names and Social Security number may have been compromised.
Similar incidents along with mounting concerns with foreign entities possibly obtaining weaponry information has brought about the Cybersecurity Maturity Model Certification (CMMC), the DoD’s newest verification mechanism designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks.
In short, CMMC mandates that DoD contractors ensure that they meet required levels of cybersecurity protection in order to be considered for DoD contracts.
The Department of Defense currently mandates that its contractors meet the requirements of NIST Special Publication 800–171 but there is no audit and accountability for protecting CUI; this shortcoming has led to the devising of the Cybersecurity Capability Model Certification, which will require third-party audits and certification for the DoD supply chain for compliance built on the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.
This requires defense contractors handling sensitive, unclassified information to implement the 110 security controls of NIST SP 800-171.
Implementing cybersecurity in DoD supply chains is based on the identification of five certification tiers:
- CMMC Level 1 | Basic Cyber Hygiene | 17 security controls (NIST SP 800-171 rev 1)
- CMMC Level 2 | Intermediate Cyber Hygiene | 46 security controls (NIST SP 800-171 rev 1)
- CMMC Level 3 | Good Cyber Hygiene | 47 security controls (NIST SP 800-171 rev 1)
- CMMC Level 4 | Proactive | 26 security controls (NIST SP 800-171B)
- CMMC Level 5 | Advanced/Progressive | 4 security controls (NIST SP 800-171B)
While previous regulations like NIST’s SP 800-171 allowed for self-assessment, in order for companies to be awarded a certification at the appropriate CMMC level, they will need to demonstrate to assessors and certifiers the appropriate capabilities and organizational maturity, proper controls and processes in place to reduce the risk of specific cyberthreats.
It’s expected that CMMC will start to be phased in for certain DoD-identified contractors beginning the fourth quarter of 2020.
Outsmart cybercrime and get your DoD’s Cybersecurity Maturity Model Certification (CMMC) initiative with CMMC Training Courses and Workshops by Tonex.
For more information, questions, comments, contact us.