Going forward in 2021, any defense contractor working with the United States Department of Defense will need to familiarize themselves with the new CMMC cybersecurity framework. The Cybersecurity Maturity Model Certification (CMMC) is a standard for implementing cybersecurity best practices across the Defense Industrial Base, which affects over 30,000 different companies.
This framework was drawn up in response to several significant compromises of sensitive information improperly stored and shared on contractors’ systems. The Pentagon officials responsible for CMMC drew from best-practice cybersecurity standards taken from around the world.
The following article will compare CMMC to cybersecurity standards from other regulated industries in the United States, examining the key differences and similarities.
NIST Special Publications 800 Series
The NIST SP 800 series is a collection of cybersecurity standards used by the US government. Since much of the CMMC framework was pulled directly from the 800 series, there are numerous similarities, and companies already compliant with these standards will have a significant advantage in adhering to the CMMC. The key difference is that the CMMC bases its security controls on the level of sensitivity each company handles, rather than assessed risk.
ISO/IEC 27000 Family
The ISO/IEC 27000 is used by multiple organizations and industries and follows the same universal security principles as CMMC, including risk management, incident response, and governance standards. Yet since it is used by a variety of industries, there are government-specific principles within the CMMC that are absent from ISO/IEC 27000, such as FIPS-compliant encryption standards.
Payment Card Industry Data Security Standard
PCI-DSS was created by numerous credit card companies to align their security standards and create a base level of security. With only 12 requirements, it is a very basic framework and easy for most companies to achieve, so although it could be compared with CMMC Level 1, CMMC is far more comprehensive and will lead to much more robust security protocols. While PCI compliance can often be achieved without outside help, many DoD contractors seek the aid of a CMMC preparation consultant to ensure they’re complying with each part of CMMC.
Center for Internet Security Critical Security Controls
CIS controls were developed to help the government follow cybersecurity best practices and prevent malicious attacks, and were something of a precursor to CMMC. Both frameworks are adaptable to companies of different sizes, imposing fewer demands on smaller companies and more stringent controls on larger ones. The difference is that CIS controls are simple and can be implemented by most companies in-house, whereas most firms will require an outside consultant to help them achieve CMMC standards.
Health Insurance Portability and Accountability Act
HIPAA is a US federal regulation designed to protect private health information. Just like CMMC, the HIPAA framework forces the associated companies and bodies (namely hospitals and subcontractors) to safeguard confidential data. The key difference is that the penalties for violating CMMC standards are much less severe: organizations who violate HIPAA standards are subject to significant fines, where contractors who breach CMMC protocols merely compromise their ability to bid on Department of Defense contracts.
In conclusion, although there are many duplicated controls taken from previous and similar cybersecurity standards, there are also many key differences. CMMC is shaping up to be one of the most comprehensive, cutting-edge regulatory standards, and other industries could very well follow suit in future years. DoD contractors should familiarize themselves with the CMMC requirements and take action to meet the necessary standards.