The Defense Department recently released a new draft of the Cybersecurity Maturity Model Certification (CMMC). The goal of this certification is to create a simpler and more consistent framework for the cyber demands imposed on government contractors and subcontractors.
The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For each given CMMC level, the implementation of associated controls will reduce risk against a specific set of cyber threats.
The CMMC builds upon the existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements. While this new certification may be draining on resources especially for small businesses, the goal is for CMMC to be cost-effective and affordable to implement.
This Mean to You?
Contractors (no matter what size), will soon have to get cyber certified to do business with the Defense Department. The intent is for certified independent third party organizations to conduct audits and inform risk.
This standard was created because the National Institute of Standards and Technology (NIST) DFARS guidance is not enough. Even if you are already NIST 800-171 compliant, you’re still susceptible to ransomware because the guidance does not require a backup. In addition, CMMC will add four control families — asset management, cybersecurity governance, recovery and situational awareness — that NIST doesn’t include.
The CMMC standards will soon be required of all government contractors. As such, contractors will need to get moving quickly on implementation. It is projected to be put into effect within the next year.
Budgeting Season is Now
As we approach Q4, now is the time to create or revamp your cybersecurity budget for 2020. It takes time and resources to properly and confidently establish a cyber secure environment. The sooner a plan is created, the more time there is for execution. We suggest starting with a security study to evaluate your current policies and controls. From there, we can create a step by step project plan together to reach your goals. Meeting compliance is important, but creating a cyber secure business environment is a way of life.