Are You Unsure About Which CMMC Security Standard Applies To Your Business?
The DoD will no longer take your word that appropriate cybersecurity protocols are in place. Contractors and supply chain outfits now require CMMC security certification.
In an effort to thwart rival nations and hackers from stealing sensitive information related to the U.S. Department of Defense activities, the federal government has implemented a rigorous update to its cybersecurity model. The latest Cybersecurity Maturity Model Certification (CMMC) places an enhanced focus on data housed on the networks of DoD contractors, subcontractors, and supply chain organizations.
What sets the CMMC security version 0.7 mandate apart from previous incarnations is that all supply chain businesses must proactively meet one of five cybersecurity levels before gaining lucrative DoD work. In previous years, the government routinely awarded contracts based on the good word of outfits that System Security Plan and Plan of Action and Milestones were met. The DoD would later discover post-award discrepancies, and companies were punished under the False Claims Act for misstating cybersecurity health. The DoD has taken the position that high fines and loss of contracts cannot repair the damage done when cybercriminals pilfer off important data. Moving forward, every outfit in the DoD supply chain must earn re-certification.
What Happens If A Business Fails To Meet CMMC Security Standard?
It’s essential to keep in mind that the CMMC applies to all organizations that enjoy profit-driving work in the DoD supply chain, without exception. That being said, the more sensitive Controlled Unclassified Information (CUI) housed on your network, the higher the level of cybersecurity you will be expected to meet. Prime contractors, for example, will generally be expected to reach the CMMC Level 4 through 6 standards. Subcontractors are likely to rank between Levels 2 and 3.
The primary reason the DoD has shifted away from taking outfits at their word to prior certification is due to a report called “Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War.” The report uncovered startling facts that numerous government contractors failed to meet the cybersecurity requirements. And, many lacked a basic understanding of how to meet the CMMC security standards at all. To answer the question, failing to gain prior certification will result in your business’s exclusion from DoD work.
How To Prepare for CMMC?
The CMMC model relies heavily on the National Institute of Standards and Technology Special Publication 800-171, or NIST 800-171, for cybersecurity guidance on how to protect CUI. Version 0.7 mandates that your operation meets one of the following levels of cybersecurity protections.
- Level 1: Basic protection against breaches and shielding from common threats.
- Level 2: Intermediate cyber hygiene that includes a determined plan to protect CUI.
- Level 3: Active protective measures that border on advanced cyber hygiene.
- Level 4: Proactive cyber hygiene that poses a determined defense and response to high-level threats.
- Level 5: Sophisticated cybersecurity that includes 24-7 defense and response to critical threats.
The first steps will include identifying which level of cybersecurity the DoD will expect from your organization. This can present something of a problem for decision-makers because your cybersecurity certification will likely be required in an RFP submission. If you are unsure of what your necessary threshold is before bidding on work, it’s crucial to reach out to a cybersecurity expert immediately and begin an assessment process. As the “Deliver Uncompromised” report uncovered, many outfits are unsure about the standard or how to implement them. It follows that many companies are also uncertain about which Level they’re required to meet.
Crucial next steps will include having a managed IT cybersecurity firm conduct a full review of your network, best practices, and cybersecurity policies. From there, updated protections and a strategic plan can be implemented to exceed the CMMC. Going above and beyond is worthwhile, given that your outfit will not only need to measure up but also schedule an independent third-party audit to gain formal certification. Without that accreditation, there is zero chance your business will remain in the supply chain. Deadlines to meet the CMMC begin midway through 2020, and organizations would be wise to move swiftly or be left behind.
Learn More About CMMC and NIST Compliance
Check out some of our technology and DOD cybersecurity articles.