The Beginner’s Guide To CMMC
(2020 Guidelines)
SSE provides CMMC consulting across the United States. Discover more by reviewing our 2020 guidelines guide. Schedule CMMC assessment.
Request A CMMC Readiness Assessment
Does Your DoD Supply Chain Business Meet 2020 CMMC Compliance?
Regardless of whether your organization does direct business with the federal government or benefits from lucrative supply chain contracts, the CMMC will have an impact on your bottom line going forward.
The CMMC, short for Cybersecurity Maturity Model Certification, went into full force and effect as of June 1, 2020. Anyone operating directly or indirectly with the U.S. Department of Defense (DoD), NASA, or General Service Administration, who houses what is known as “controlled unclassified information” (CUI) must now secure this data with heightened protections. If you are unsure about whether this includes your outfit or what types of cybersecurity measures are required, this CMMC overview answers a wide range of compliance questions.
Why CMMC Regulations & Compliance Matters?
The federal government rolled out the CMMC in an effort to provide a unified cybersecurity standard across the defense industrial base. This sector includes upwards of 300,000 companies in a wide-sweeping supply chain. Officials at the DoD spearheaded the phased CMMC release beginning on January 31, 2020.
Before this rollout, defense contractors and supply chain outfits largely conducted their own compliance oversight using a variety of standards. Confusion about which guidelines to follow and failures to self-comply were resolved after the fact. Penalties and suspension of government contracts were an exercise in futility given that hackers may have already stolen valuable data.
According to Under Secretary of Defense for Acquisition and Sustainment Ellen M. Lord, cyber-theft costs the U.S. approximately $600 billion in losses each year. The DoD official indicates that hackers and rival nation-states place a high priority on stealing CUI from vulnerable supply chain companies.
“Adversaries know that in today’s great-power competition environment, information and technology are both key cornerstones. Attacking a sub-tier supplier is far more appealing than a prime (supplier),” Lord reportedly said. “CMMC is a critical element of DOD’s overall cybersecurity implementation.”
Peripheral companies may not realize that the seeming scraps of CUI they house on standard devices can be pieced together and weaponized by rogue nations such as Iran, China, and Russia, among others. The recently-minted CMMC compliance regulations call for certification before bidding on lucrative government work.
Does CMMC Replace Previous Guidelines?
Perhaps the most confusing aspect of the CMMC rollout is that it does not exactly replace other directives. Instead, it brings many of the top-tier cybersecurity policies together under one roof.
For example, organizations in the federal government supply chain may already be familiar with standards such as NIST and DFARS. These were created to help secure vital information leveraged by contractors. Although these were determined efforts, neither delivered the hardened defenses necessary to keep digital assets out of the hands of bad actors. And indecision about which to follow added avoidable confusion.
The recently implemented CMMC gives everyone in the supply chain a single model to follow. It also eliminates potential vulnerabilities caused by subpar defenses or failure to meet the guidelines. The good news for industry leaders that took proactive measures is that previously adhering to the following standards may have you in compliance or close to the CMMC threshold.
If you exercised due diligence when working with CUI in the past, an audit of your security measures can determine whether you are aligned with one of the five CMMC levels.
What You Need To Know About 5 CMMC Cyber Hygiene Levels
It’s essential for supply chain companies to understand that your compliance level will be roughly equal to the sensitivity of the data you store or access. Corporations working directly on military or scientific projects can expect to meet the heightened measures outlined in Level 5. Those at the low-end of the data food chain may only require minimal cybersecurity upgrades. Consider this general overview and how it relates to your current cyber-hygiene.
Level 1
The first tier of the CMMC involves what many consider “basic hygiene.” Expectations include employing up-to-date antivirus software, firewalls, and having employees and those with access to your network routinely changing robust passwords.
Level 2
Widely consider “intermediate cyber hygiene,” supply chain organizations are expected to implement standards found in NIST, among others. Companies are tasked with establishing and documenting cybersecurity controls so that key stakeholders can implement and repeat them. The critical point is consistently securing CUI.
Level 3
Industry professionals generally consider this level of compliance “good cyber hygiene.” Companies are expected to adhere to upwards of 47 cybersecurity controls to earn certification. Organizations must also craft a determined plan that demonstrates those with access to data follow protocols. A company’s plan may include best practices, training, mission statement, and outlines stakeholders.
Level 4
Commonly called “proactive cyber hygiene,” outfits are expected to have the ability to detect and defend against emerging threats. Contractors who met the DFARS criteria may find the Level 4 standards familiar. One of the terms used to highlight compliance is “advanced persistent threats” or APTs. In essence, contractors must have the defense capabilities to deter sophisticated bad actors.
Level 5
Meeting this heightened standard involves implementing as many as 30 additional controls. Companies must create standardized protocols that maximize “advanced cyber hygiene,” delivering sophisticated detection and response capabilities to defend against APTs.
The federal government’s decision to streamline and enhance protections under one CMMC roof hardens the nation’s defenses against international threats. But as a supply chain company decision-maker, that doesn’t make the details any less confusing. Going forward, your company will not only need to meet its required hygiene Level, but you will also need certification.
Get A CMMC Compliance Assessment
The DoD and other agencies required minimum certifications for requests for information as of June 2020. Request for proposals compliance went into effect as of September 2020. Rather than miss an opportunity to participate in profitable government contracts, it’s imperative to have a cybersecurity professional analyze your system. By having your cybersecurity defenses assessed and hardened to meet your CMMC compliance level, you can participate in profit-driving contracts going forward.