Last Updated on June 29, 2021
The new Cybersecurity Maturity Model Certification (CMMC) framework from the US Department of Defense (DoD) is on the fast track to becoming the most widely adopted information security standard ever developed. It will soon be omnipresent in many business landscapes, especially the global Aerospace & Defense industry.
If you haven’t heard about CMMC yet, read on—and then tune into our special edition of The Virtual CISO Podcast on CMMC Level 1 featuring John Verry, Pivot Point Security’s CISO and Managing Partner.
“CMMC is a mechanism by which the DoD is going to enforce security across the Defense Industrial Base (DIB) or defense supply chain,” says John. “The reason for this is that we had a framework since 2015 called NIST SP 800-171, which defined 110 controls or good information security practices, which you had to self-attest to actually performing.”
“Unfortunately, many entities out of the 350,000 odd organizations in the DIB didn’t take NIST 800-171 all that seriously,” continues John. “They didn’t do a good job in actually conforming. We’ve continued to have breaches that cost the US economy something like $600 billion per year.”
As US senator Everett Dirksen supposedly said, “A billion here, a billion there… Pretty soon you’re talking real money.” Even worse, these breaches put our national defense at risk.
“They came up with the CMMC program to correct that,” John explains. “So now you’re going to be audited to confirm that you’re actually conforming with these requirements.”
CMMC is called a “maturity model” because it defines how you can implement different controls at different maturity levels (1 through 5). CMMC Level 3 corresponds pretty closely with NIST 800-171. It includes the 110 NIST controls plus an additional 20 controls. The purpose of CMMC Level 3 is to safeguard Controlled Unclassified Information (CUI).
Similarly, CMMC Level 1 directly corresponds with Federal Acquisition Regulation (FAR) clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. CMMC Level 1 includes just 17 controls. It is designed to protect Federal Contract Information (FCI), which is less sensitive than CUI.
If you have a security/compliance related role within the Aerospace & Defense industry, don’t miss this special podcast show with John Verry.
For more information:
- A discussion on CMMC with Katie Arrington, the DoD’s point person for CMMC
- A chat about the finer points of CMMC compliance with Corbin Evans from the National Defense Industrial Association
- A talk on CMMC Assessments and the CMMC rollout with Ben Tchoubineh, CMMC-AB board member
- Wherever You Do Business, CMMC is Coming
- This is Why DoD Suppliers Need to Move Soon to CMMC Readiness