What Is CMMC & Does Your Organization Need To Comply?
The federal government has taken proactive measures to prevent rogue nations from stealing American military and scientific information. With more than 300,000 companies in the military supply chain, the U.S. Department of Defense (DoD) recently brought its all-encompassing Cybersecurity Maturity Model Certification (CMMC) initiative to fruition. As of June, businesses in the supply chain will need CMMC credentials to make requests for information. In October, everyone will need to comply to submit requests for proposals. Any outfit that fails to meet the standard and secure certification will find themselves outside the DoD network.
If you are a decision-maker in the greater Virginia Beah area that doesn’t work directly for the DoD, you might believe this cybersecurity policy may not apply to you. That’s not necessarily the case. The CMMC includes businesses that store or access seemingly low-level data called controlled unclassified information (CUI). Many operations in the goods and services industry tap into this extraordinarily broad category. It includes everything from health records to bank accounts to bills of laden.
Not meeting the CMMC standards could end up hurting the bottom lines of businesses even on the periphery because you won’t be able to participate in lucrative government contracts. Making matters worse, earning CMMC might not be difficult. If you are a CEO, entrepreneur, or business decision-maker in the greater Virginia Beach area, it’s crucial to know what CMMC is, how it works, and how to stay in the DoD supply chain loop.
What is CMMC?
This cybersecurity framework is the federal government’s solution to compliance failures and ongoing cyber-crime. Pentagon officials have gone on the record indicating that billions are lost every year as foreign entities breach American networks and steal digital assets. Officials have also pointed out that bad actors target supply chain outfits with the expectation small and mid-sized organizations have inferior cybersecurity defenses.
“Adversaries know that in today’s great-power competition environment, information and technology are both key cornerstones,” DoD official Ellen M. Lord. “Attacking a sub-tier supplier is far more appealing than a prime (supplier).”
The point Lord speaks to is that rogue nations have the funding and resolve to gather scraps of information from hundreds of supply chain companies and weaponize them. These digital assets can be pieced together to breach larger systems and achieve nefarious goals. In the past, organizations in the defense industrial base and peripheral outfits largely self-regulated. This led to beaches and after-the-fact penalties. From now on, the federal government requires participants to prove compliance before accessing CUI.
How CMMC Works
The CMMC brings a wide range of cybersecurity guidelines together under one roof and puts them on steroids. While that sounds like the effort would be extraordinarily technical and expensive, many organizations require only modest security improvements and a third-party audit to stay in the DoD orbit. The recently implemented guidelines set out five levels of compliance. They are increasingly stringent in conjunction with the value of the digital files a company stores or accesses. The following is a broad overview of the categories.
- Level 1: An organization that provides goods or services in the DoD pipeline must prove it enjoys “basic cyber hygiene,” such as updated firewalls, antivirus software, password protection, and other standard defenses. If your outfit accesses relatively minor CUI, a routine upgrade could bring you into compliance.
- Level 2: “Intermediate cyber hygiene” must be demonstrated to store and transmit essential CUI. Organizations that do not access classified information may pass muster by meeting controls under the previous U.S. Department of Commerce National Institute of Standards and Technology (NIST). Level 2 is considered a restatement of this standard.
- Level 3: Outfits that require this compliance level must have 47 controls in place. Considered “good cyber hygiene,” it’s likely you already have many of them in your cybersecurity portfolio.
- Level 4: Outfits that need “proactive cyber hygiene” are typically high-value targets. This compliance level includes the ability to detect and respond to “advanced persistent threats” (APTs). You are going up against hackers with heightened skills and expertise.
- Level 5: Contractors that deal directly with the DoD are tasked with implementing and maintaining “advanced cyber hygiene.” This standard calls for 30 heightened controls and an ability to detect, deter, and repel some of the world’s most determined bad actors.
Companies that require Level 1-3 compliance to continue earning profits from government work usually need modest updates and a strategy to implement new controls. Needless to say, government policies are filled with small details that require an expert understanding of the CMMC.
DoD official Katie Arrington has gone on the record, indicating the vast majority of companies will only need to implement the 17 controls associated with Level 1. She points out the costs are minimal, and small-business contractors may gain access to CMMC-related grants. While the compliance details are complicated for those without expertise, it’s crucial to gain certification ASAP.
How To Earn CMMC Compliance
Industry leaders don’t need to get bogged down in the unwieldy CMMC minutia. The wide-reaching details of securing compliance are better suited for cybersecurity professionals. That being said, decision-makers can bring your organization into compliance by having three things done — a cybersecurity assessment, remediation, and third-party audit. At Hampton Roads Communication Technologies, our team of experienced professionals can take care of the assessment and mitigation in preparation for a third-party audit.
- Assessment: An impartial expert conducts an analysis of your cybersecurity policy, best practices, and defenses. The review highlights strengths, weaknesses, and outlines the next steps to achieve CMMC compliance.
- Remediation: Cybersecurity specialists take corrective measures to improve defenses and implement the controls necessary to achieve your required level of compliance.
- Audit: With your system thoroughly vetted and defenses hardened, an accredited third-party conducts a CMMC audit. Once your company passes muster, you have the compliance credentials to bid on lucrative government work going forward.
Along with remaining in the supply chain, an organization that achieves CMMC compliance can wear that certification like a badge of honor. It sends a message to colleagues and potential clients that you can be trusted with their sensitive digital information. If you have not gone through a successful audit or are unsure about compliance, contact HRCT for a CMMC consultation.