The Defense Industrial Base (DIB) will soon be mandated to meet new security requirements in Department of Defense contracts with a Cybersecurity Maturity Model Certification (CMMC), but what exactly is CMMC and what does it mean for your business?
Cyberattacks are on the rise and Controlled Unclassified Information (CUI) among defense-related businesses, including those in the supply chain, is increasingly at risk. According to the CMMI Institute, “[t]he DoD estimates that U.S. companies are losing over $6 billion USD each year in intellectual capital to competitors due to lack of any cybersecurity or awareness.” Therefore, the DoD is making a push for better cybersecurity protection, awareness, controls, and hygiene with the Cybersecurity Maturity Model Certification, soon to be required by all DIB businesses competing for RFPs and submitting RFIs.
The CMMC Framework
The CMMC Framework is not unlike other frameworks such as CMMI Cybermaturity Platform, NIST 800-171, and Defense Federal Acquisition Regulation Supplements (DFARS). (CMMC has deep roots in DFARS 252.204-7012, taking the “trust yet verify” approach to security.) This Framework is rather specifically focused on the DIB and its cyber hygiene.
Overall, CMMC aims to better DIB businesses, and those in the supply chain, security efforts and reduce risk.
The DoD released the Cybersecurity Maturity Model Certification v1.0 in January 2020, having been worked on by university research centers, federally funded research centers, as well as professionals in the industry.
While contractors in the DIB still maintain, and continue to strengthen, their cybersecurity practices, CMMC requires that a third-party assess and certify that the business is in compliance with this new standard.
Businesses and suppliers looking to serve as a DoD contractor in future rounds of RFPs will be required to obtain their CMMC by 2025.
The CMMC Accreditation Body and the DoD will shortly have processes for certifying those third-party assessors (CP3AOs) to evaluate DIB businesses. (Take a look at CMMC-AB’s progress.)
- Review the requirements and begin preparing by documenting your business’s related practices and procedures.
- Plan ahead in order to achieve the highest certification level.
- Work with your subcontractors and those in your supply chain to ensure compliance every step of the way.
- CMMC will be required for DoD contracts, but future iterations of the certification may require your cybersecurity program to evolve. Plan ways to mature your program in the long-term.
- Get in on the ground floor with RedLegg as it’s expected that 300,000 companies will need to be certified by an accredited assessor.
Subscribe to the RedLegg blog in order to get future updates about CMMC.