As the Cybersecurity Maturity Model Certification (CMMC) nears full implementation, affected organizations are scurrying to ensure they'll pass the certification process.
The goal is simple: organizations must meet minimum cybersecurity standards, and in doing so, they do their part to improve national security. The stakes are extraordinarily high for the estimated 300,000 defense industrial base (DIB) organizations which will soon need to be certified to one of the five CMMC levels to be eligible to be awarded a federal contract. Simply stated: no certification, no contract. From the perspective of the U.S. Government and the Department of Defense, the stakes have always been high since the DIB plays such a critical role in the defense of our nation. The only way to ensure the protection of our data and the integrity of the supply chain is to hold industry to a higher standard.
How Did We Get Here?
Adversarial activity from state and non-state actors continues to increase, and the economic costs are staggering — $5 trillion globally — by some estimates. Other estimates show that the cost to the U.S. economy was somewhere between $57 billion and $109 billion in 2016. However, the need for CMMC is not just about economic interests, it is about collectively defending ourselves. Companies large and small contribute to the success of the American warfighter and they will all be held to the same level of accountability with CMMC.
In the federal space, it takes only a quick glance at a certain fighter jet to connect the dots of how important it is to secure the organizations which ultimately secure and defend our country. In the commercial space, the Target breach showed how business partners can be the weak link which ultimately facilitates an attack. By holding the DIB more accountable, we help fulfill not only a new business requirement, but we will meet a strategic imperative to be more resilient to attack. Times have changed and so have how we conduct business. Like it or not, we maneuver on the modern battlefield where words like “war,” “espionage,” and “crime” are prepended with “cyber,” meaning private and public entities must be prepared with a modern response.
What Is CMMC?
CMMC has five levels of technical and procedural controls which aim to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) for DoD contractors. To reach CMMC level 5, organizations will need to go through the implementation and assessment of 171 technical and procedural controls. Most cybersecurity professionals in the federal space will find that the bulk of the CMMC controls are familiar. In fact, to reach CMMC level 3, almost all the controls are found in NIST SP 800-171. The organizations which will soon require certification under CMMC have already been mandated to meet the controls outlined in NIST SP 800-171 since 2016. The key difference is that organizations can no longer self-certify and submit a Plan of Actions and Milestones to address deficiencies. Organizations seeking certification must be formally assessed by a CMMC Third Party Assessor Organization or assessor certified by the CMMC Accreditation Body, a non-profit organization charged with certifying the readiness of the assessors. While no dates have been given for when assessments will start, training has recently begun for the first group of CMMC assessors.
What to Do Now?
CMMC preparedness is an exercise in implementing the fundamentals of cybersecurity and continuous improvement to achieve greater resilience. The CMMC levels are cumulative and tiered so that one level builds up to the next, so to reach level 4, you must be fully compliant with level 3. Each level correlates to the level of sophistication of your security practices starting with basic hygiene and elevating to more advanced and proactive measures like threat hunting in Level 5. With 171 controls of increasing complexity, you ask where to begin?
Whether you need to be certified to CMMC Level 1 or 5, or perhaps your organization doesn’t even do business with the DoD, the standards set forth by CMMC are a roadmap for any organization to mature their cybersecurity posture. Regardless of your starting point, achieving CMMC compliance will pose a challenge to small and large organizations alike, but the outcome is the improvement we desperately need. Securing our data and intellectual property is both logical and of absolute necessity to maintain a technological edge over our adversaries. Continuous assessment and improvement in the practice of cybersecurity fundamentals are paramount to achieving a level of digital resilience that will allow us to combat modern threats.
Wayne Lloyd is federal chief technology officer at RedSeal.
Timely, incisive articles delivered directly to your inbox.