The Department of Defense (DoD) is taking new measures to increase IT security. To protect against cybercrime from all sources, the DoD has worked on a new standard for its contractors. The result is the Cybersecurity Maturity Model Certification (CMMC).
The government’s made an effort to improve national cybersecurity for some years now. Homeland Security formed the Cybersecurity and Infrastructure Security Agency (CISA) in 2018. The DoD implemented its first cyber defense strategy in 2011, with periodic revisions in the years since.
The CMMC is part of this increased focus on cybersecurity. The certification aims to bolster the nation’s cyber defenses by setting higher standards for businesses doing contract work for the government.
What Does the CMMC Include?
The CMMC includes five levels of security maturity, ranging from “basic cyber hygiene” to “advanced/progressive cyber protection.” Each level requires a different extent of security protocols. Defense contractors will need to get certified for higher levels to bid for more sensitive contracts.
The first two levels cover basic security measures like antivirus, back-ups and employee cybersecurity training. The middle tier demands practices equivalent to NIST SP 800-171, an older government standard for working with controlled unclassified information (CUI). The final two levels require methods and technology, like real-time data tracking, that are necessary for handling high-value information.
Unlike past certifications, third parties will audit businesses to determine their level within the CMMC. Companies could complete their own audits with earlier standards, but not anymore. The DOD cybersecurity training attempts to fill any possible gaps.
Companies must meet every requirement to achieve certification at a given level. Even if they meet all but one of the listed protocols, the DoD will classify them at the next lowest level. If businesses want to bid for the highest-level contracts, they’ll have to implement every single standard required by the CMMC.
When Will the CMMC Take Effect?
The DoD proposed the CMMC in 2019 and published the final draft on January 31 of this year. They started developing the auditor certification program in the same month, so licensed auditors will be ready as soon as possible. These auditors will start certifying businesses in June of 2020.
When the auditing process begins, new requests for information (RFIs) from the DoD will include CMMC requirements. Starting in September, the DoD will require companies to have a given CMMC level to bid on requests for proposals (RFPs). Any contractor working for the DoD will need to meet CMMC standards by the end of the year.
These new regulations will apply to all contractors doing business with the department. Even companies who have done extensive previous work for the DoD will need to gain certification to continue working with them.
Why the CMMC Matters
The DoD has had security requirements for defense contractors in the past. However, the CMMC sets higher standards and removes potential loopholes. By enacting a stricter set of requirements for anyone handling government information, the DoD intends to lower the risk of data breaches.
Perhaps the most significant change the CMMC brings is the removal of self-certification. Companies are subject to bias, so if they certify themselves, they’d likely claim their security measures are stronger than they actually are. With this system, the DoD could potentially give sensitive data to businesses that risk leaking it.
In 2018 alone, there were almost 80 data breaches that affected government entities. By implementing higher standards for collaborators, the government can be more sure of its cybersecurity. The DoD can’t afford cyberattacks, and the CMMC might be a key tool in defending against them.
Kayla Matthews writes about cybersecurity and technology for publications like Malwarebytes, Security Boulevard, InformationWeek and CloudTweaks. To read more from Kayla, visit her blog: ProductivityBytes.com.