The United States Department of Defense (DOD) increased its security protocols significantly in 2020. Last year, the agency released a new security certification, The Cybersecurity Maturity Model Certification (CMMC). The purpose of the certification is to diminish the impact of cyber risks that may threaten our nation’s defenses by ensuring vendors that work with the agency have proper security procedures in place. The CMMC will provide the DOD with a basis of auditing its vendors so it knows which ones will take their security measures seriously. If your business works with the DOD or plans to in the future, you need to be aware of what the CMMC is and the requirements you need to meet. Let’s take a look at what is known so far.
What is the CMMC?
It’s how the DOD will keep track of the security protocols utilized by its potential defense vendors and whether or not they have enough security measures in place to form a partnership with the agency. Any vendor that plans on working with the DOD and bidding for a work proposal must have the appropriate level of the CMMC at the time the contract is earned. If you do not possess the proper CMMC level at time of contract, it doesn’t mean you won’t be able to work with the DOD, it just means that you won’t have full access to the DOD’s information.
How does it impact my organization?
The goal of the CMMC is to address the protection of Controlled Unclassified Information (CUI) across the DOD supply chain.
Any organization that is working or who has plans to work with the DOD, needs to know about the CMMC.
Your level of required certification is dependent on your companies’ access to CUI.
As of now, none of the current vendor contracts with the DOD contain CMMC requirements, but the DOD is expected to start requiring them in a number of upcoming contracts in 2021. Over the next few years, every contract will have some degree of a CMMC requirement. It is estimated that around 350,000 vendors that partner with of the DOD will be impacted by these security requirements by 2026.
CMMC Maturity Levels
The CMMC includes maturity levels to help define vendor processes and security methods. It has five Maturity Levels (ML) ranging from basic cyber protocols to advanced. Here’s a breakdown of the levels.
ML 1: Basic Cyber Practices
This ML focuses on the basic safeguarding of information and fundamental cyber hygiene. While organizations obtaining this level must be able to protect Federal Contract Information (FCI), their practices will be conducted in an ad-hoc manner and there is no requirement to produce documentation or have the effectiveness of their processes analyzed.
ML 2: Intermediate Cyber Practices
With ML 2 and all levels above, the main requirement is producing documentation. This means you need to show your policies are formally written and adopted within your organization. This ML grants you access to FCI and acts as a transitional step for companies who are interested in working with contracts with Controlled Unclassified Information (CUI).
ML 3: Managing Your Cyber Practices
In ML 3 there is a larger focus on mitigating threats due to it allowing access to CUI. Organizations looking to obtain ML 3 must show demonstrations of procedures being followed as well as proving that their procedures are correctly resourced. You will also need to establish, upkeep, and adopt a plan that shows your management techniques used for implementation.
ML 4: Reviewing Your Cyber Practices
ML 4 requires the organization to measure and review their own security practices—locating gaps where you can make improvements or resolve inefficiencies. The main goal of this level is to increase the protection of CUI and start reducing the risk of Advanced Persistent Threats (APTs).
ML 5: Optimization of Cyber Practices
ML 5 is where optimization takes place. Organizations in this level have a plan established, continuously work to locate, and resolve inefficiencies in the plan, and standardize the plan and practices across the organization. The focus here is also to boost the protection of CUI from APTs.
What level do you fall into?
Essentially, the level your company falls into will dictate if and how you can perform business with the DOD. So how can you tell which level you might fit into? Review and analyze your current security procedures and how they are implemented within your company to get a feel of what category the DOD may classify you under.
What do I need to do?
Prepare now. Understand your governmental contracts or if you are a subcontractor with another organization that holds the governmental contract, understand how that might affect you, and which level of certification you will be required to fall in to.
Have BerganKDV assist you in doing a CMMC gap analysis to see where you may need to beef up your security posture.
Not sure where to start? You can click here to take a free security assessment that provides a high-level view of your cyber security practices and maturity.