Because of the threat posed by malicious cyber activities, the Department of Defense has updated its augmented cyber compliance regulations throughout its entire supply chain. The risk of cyber attacks from state and non-state actors looks likely to increase and has caused the DoD to implement more robust defense measures.
As a major part of this effort, the Cybersecurity Maturity Model Certification (CMMC) Version 1.0 was just released on January 30, 2020. The CMMC framework will create a unified standard for auditing and certifying the level of cyber hygiene of DoD contractors, suppliers, and subcontractors to protect Federal Contract Information and Controlled Unclassified Information.
Who Will Be Affected?
The estimated impact of CMMC is significant. Anyone carrying out work for the DoD in their business will be affected and be required to obtain CMMC certification. Audits will be conducted beginning Spring 2020, and there will be no option for self-certification. Certified Third-Party Assessment Organizations, or C3PAOs, will carry out these reviews on behalf of the DoD.
These new regulations provide a brand new compliance challenge for a wide range of businesses as they prepare for the beginning of the implementation period this year. It’s important that you make sure your business understands the regulations you will be required to implement and start preparing for audits right away by following these steps:
Get to Know the New CMMC Guidelines
Understanding the guidelines of CMMC Version 1.0 should be the top priority for DoD contractors. It’s important that you become familiar with the practices required for the various levels of certification, as well as all of the appendices that explain in detail what your business will be expected to do to become certified.
While the stipulations for which contracted businesses will need to achieve what level of cyber hygiene have still not been established, these guidelines will be outlined in Requests for Information (RFIs) and Requests for Proposals (RFPs) and released later this year. Becoming familiar with the practices each level of cyber hygiene requires will help prepare your business to begin rolling out cybersecurity plans to better secure your sensitive information.
Understand What Kinds of Information the CMMC Requires You to Protect
FCI and CUI information is covered by CMMC. FCI is information that is not intended for release to the public, while CUI is unclassified information that requires a certain kind of protection, whether that’s identified in law, regulation, or government policy. Depending on how much information of each kind your business handles, you will be required to meet a certain level of cyber hygiene.
Levels 1 to 5 Differentiation
There’s a range of practices that are identified at each level of certification which must be met in order for a contractor to achieve that level. The CMMC levels are as described below:
Basic Cyber Hygiene Practice and Performed Processes
Level 1 is a foundational level and offers the most basic practices that must be carried out by a contractor. All of the other levels and their practices build on this one, and every contractor, subcontractor, and supplier is required to meet at least this level of cyber hygiene.
Intermediate Cyber Hygiene Practices and Documented Processes
Level 2 acts as a transitional level between Levels 1 and 3. It requires contractors to accurately document and implement its practices in line with the CMMC Model. It also includes 55 additional cyber hygiene practices than Level 1.
Good Cyber Hygiene Practices and Managed Processes
Level 3 largely focuses on CUI protection. In order to achieve this level, businesses must demonstrate plans to manage specific activities and fulfill relevant requirements.
Proactive Practices and Reviewed Processes
In order to achieve Level 4 certification, contractors must show an ability to protect CUI from APTs (Advanced Persistent Threats). Companies must also review and measure the effectiveness of its practices on a continual basis.
Advanced/Progressive Practices and Optimizing Processes
Level 5 also focuses on the protection against APTs, but with additional practices enforced. Cybersecurity processes must be standardized and optimized in order to achieve this level of certification.
The Implementation Timeline
Full implementation of CMMC will be rolled out over the next five to six years, however the DoD aims to start soliciting and awarding contracts with CMMC requirements as early as later this year. The department also intends to have 1500 CMMC-certified contractors in place by 2021.
The Accreditation body was formed in January and will oversee certification and the training of third-party assessors. All contractors should be monitoring their activities from now going forward to prepare for audits. Contractors looking to bid on early contracts will be given priority when it comes to auditing.
How to Prepare for CMMC as a Contractor, Subcontractor or Supplier
You’ll want to begin an in-depth CMMC security assessment of your current practices and procedures, including compliance, to begin adapting to the CMMC framework. You’ll need to start preparing your suppliers and subcontractors for changes to avoid disruption later on, too.
The changes brought about by CMMC will present challenges for any business working with the DoD. It’s wise to start assembling internal teams to monitor CMMC Accreditation Body activities and what you’ll likely need to do in order to obtain certification now so you’ll be prepared for audits in the near future.