Last Updated on October 12, 2020
We know now that companies in the DIB need to hit the Cybersecurity Maturity Model Certification (CMMC) requirements to win new DoD contracts. This is a direct response to significant and ongoing breaches of sensitive data held by suppliers, the CMMC applies to over 300,000 companies in the US defense industrial base (DIB).
The CMMC draws upon and rationalizes several other cybersecurity frameworks, including NIST 800-171, NIST 800-53, FISMA, ISO 27001, ISO 27032 and AIA NAS9933.
Based on a “maturity” model, the CMMC framework leverages independent, third-party assessments to verify compliance. Its five certification levels define the maturity and robustness of a company’s cybersecurity controls and processes in terms of their ability to protect Controlled Unclassified Information (CUI). Each level builds on the requirements of the preceding levels.
Why the CMMC Framework is Important
Business losses from cybercrime are predicted to exceed $5 trillion by 2024. But the cyber threat to the DIB isn’t merely financial—the US is engaged in a cyber war and is under continuous attack by state-sponsored actors looking to reduce our military tactical advantage by exfiltrating intellectual property.
This is tough. Many companies in the DIB are small to medium business just trying to run their companies profitably and investing in security can feel like “just another cost”. The DoD needed to take steps to reduce the theft of US intellectual property while not jeopardizing the business needs of the DIB.
To help mitigate this huge and escalating risk to US national security, the DoD undertook the development of an information security framework that would help DIB companies secure both CUI and Federal Contract Information (FCI) across the DoD supply chain (at a reasonable cost).
CMMC Framework Development
In 2015, the DoD published the Defense Acquisition Federal Regulation Supplement (DFARS), which mandated that DIB companies comply unilaterally with the NIST 800-171 information security standard. Compliance has proven to be inconsistent and lagging, in part because it is self-attested, such that companies may knowingly or unknowingly be out of compliance.
The CMMC is intended to directly address this issue by ensuring compliance via independent, third-party assessment of contractors’ systems. The CMMC program, through the CMMC Accreditation Body (CMMC-AB), will also provide a wide range of advisory and consulting options for DIB companies.
In 2019, the Software Engineering Institute (SEI) at Carnegie Mellon University, in collaboration with the Johns Hopkins University Applied Physics Laboratory, architected and developed the initial CMMC versions.
CMMC Framework Elements
The CMMC framework includes five maturity processes and 171 cybersecurity best practices (aka controls) that progress across five maturity levels and are grouped into 17 domains. The maturity processes relate to operationalizing cybersecurity activities in a manner that is consistent and viable. The best practices define a range of capabilities across the levels, ranging from basic data safeguards (Level 1) to the ability to reliably protect CUI (Level 3) to addressing Advanced Persistent Threats from nation-state actors (Level 5).
The CMMC certification program, under the auspices of the CMMC-AB, will assess the implementation of processes and practices at the level(s) specified in applicable contract(s) for Organizations Seeking Certification (OSCs).
If your company plans to seek CMMC certification, Pivot Point Security offers a full spectrum of CMMC compliance services, from advice to implementation expertise and support.
Contact us to talk with a CMMC expert about your business needs and how we can help.