Understanding and Achieving CMMC compliance

The Cybersecurity Maturity Model Certification is set to marshal in a new age of liability for defense contractors. Designed by the Department of Defense (DoD), it intends to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It will affect all companies currently involved in contracting or subcontracting responsibilities with the DoD. CMMC will affect over 300,000 companies involved with the DoD and the defense industrial base (DIB). Total compliance with the new regulations will be mandatory from here onwards. For many years, the DoD and DIB have been common targets for cybercriminals, independent American hackers, and foreign hackers. CMMC enhances cybersecurity measures across both of these organizations.

Why Was the Cybersecurity Maturity Model Certification Launched?

The announcement regarding CMMC on January 31st, 2020, hardly surprised any industry insiders. Cybercrime has been a major concern for the DoD. Every year, the global industry loses $600 billion because of cybercrime. In 2016, the losses amounted to only $445 billion. In 2018, when the DoD started noticing that cybercrime was costing the world 1% of global GDP each year, they knew they had to start preparing. Major research agencies have suggested that if leading security agencies worldwide keep avoiding this increasingly expensive issue, by 2030, the world could lose trillions of dollars every year because of cybercrime data breaches. Thankfully, a significant percentage of these crimes can be isolated, targeted, and eliminated before the hackers do much damage.

CMMC Audits

To achieve CMMC compliance, defense contractors/subcontractors must go through external security audits. These verification processes need to be carried out by CMMC-accredited organizations. These independent assessment companies will determine whether a contractor is compliant with the latest DoD cybersecurity standards.

Who are the Independent Assessment Companies?

The CMMC Accreditation Body will recommend these independent assessment companies. This body is directly associated with the DoD. After auditing the contractors, they share the results with the DoD, notifying them of any non-compliance issues, potential security risks, unfavorable behavior such as unauthorized sharing of dissemination of Controlled Unclassified Information (CUI).

What Happens in Audits?

The independent assessment companies use multi-layer tallying systems. After the audit, they allocate contractors/subcontractors specific cybersecurity rankings. There’ll be over three hundred thousand companies going through these audits, so more information about the nitty-gritties of these audits will soon be public.

Who Does It Apply To?

CMMC applies to any independent contractor/subcontractor involved with the DoD or DIB. All of them must attain Level 1 to continue their work, irrespective of how big or large the contracts they handle every year are. CMMC is also expected to apply to all federal contracts. For instance, the Department of Homeland Security is very close to adopting CMMC. Thankfully, the buzz surrounding CMMC is very loud and has intensified the rush to prepare for better cybersecurity measures for these contractors.

Most contractors should find the process of applying the technical controls under the CMMC framework very easy. Plus, most contractors are already at Level 1 as they already implement basic cyber safety measures. Level 1 is the lowest cybersecurity level that most contractors are already deploying.

Achieving Compliance 

In the past, contractors/subcontractors had the option of certifying their FCI and CUI cyber safe practices on their own.

Controlled Unclassified Information (CUI) is data from the U.S. government that’s not technically “classified” but is still important enough to deserve the special protected status. FCI or federal contract information is data not fit for public access. All details regarding defense contracts (except for basic transactional information) need to be protected under the CMMC framework.

The option of self-certification is eliminated with the introduction of CMMC. To achieve compliance, companies must set up in-house systems or team up with cybersecurity companies that specialize in attaining CMMC compliance. These companies have the resources and the DoD’s nod of approval to help contractors/subcontractors attain compliance under the new framework.

When to Start Preparing?

The DoD’s provisional rule for implementing these new cybersecurity measures will be in effect from November 30th, 2020. These provisional requirements were made public on September 29th, 2020. These provisional rules will not only compel contractors to step up their cybersecurity practices, but they also mandate certain codes of conduct that the contractors will have to adhere to in order to qualify as compliant. So, contractors should start preparing for the CMMC regime as quickly as they can.

Why the CMMC Promises Positives for the Country?

The CMMC framework protects the security interests of the country. It also ensures that intellectual property is not easily accessible to cybercriminals. Contrary to belief, contractors are not unjustly put under the microscope by the DoD. They are being encouraged to invest insightfully in cybersecurity measures that’ll help the defense industry in general. More importantly, the contractors engaged in the right cybersecurity practices will be rewarded for their security efforts.

4 thoughts on “Understanding and Achieving CMMC compliance”

Leave a Comment