But before we go into too much detail on version 0.4 of the CMMC, let’s take a look at WHY it’s important.
The Department of Defense estimates that the total value of data lost to our adversaries is $60 billion per year. It’s not only the military that needs to worry about information being stolen. Contractors doing business with the DoD, NASA, GSA and any other state or federal agencies are at risk due to their lack of cybersecurity measures. Our adversaries are well aware of the amount of data contractors tend to have access to.
Although NIST 800-171 and DFARS 252-204-7012 were created to help contractors better secure their information systems, they’re far from fool-proof. In fact, adherence is a self-attestation, which means many contractors aren’t as secure as they claim to be. Ultimately, there is a lot of confusion when it comes to execution of meeting the controls listed in the current standards. That’s where the CMMC comes in handy.
The CMMC introduces 5 levels of security requirements. The first level has the least restrictive requirements and is intended for those who have minimal data. The fifth level is much stricter and is intended for those who have sensitive unclassified data, such as export controlled (ITAR) technical data. On September 4, Version 0.4 of the CMMC was released for comment.
When will the final CMMC framework be released and what should you expect?
Although version 0.4 of the CMMC has been released for comment, version 1.0 will be available in January 2020. Those working in the industry can expect to see the CMMC requirements as part of any requests for information in June 2020. Ultimately, the CMMC will combine the cybersecurity control standards from existing frameworks, including the following:
- NIST 800-171
- NIST SP 800-53
- ISO 27001
- ISO 27032
- AIA NAS9933
This will create one unified standard, as well as measure the maturity of any given company’s cybersecurity protocols, processes, and practices.
Will organizations need to undergo any assessments and/or become certified?
Yes. Each organization should schedule a CMMC assessment to review their cybersecurity protocols, processes, and practices. Once the CMMC assessment is completed, a level of certification will be given upon demonstrating the appropriate organizational maturity to satisfy that particular level. For further insight, NIST 800-171 is comparable to level 3 as there are 110 controls for NIST 800-171 whereas there are 91 controls in level 3.
The CMMC is expected to go through two more versions prior to the final release of version 1.0 in January 2020. Once released, the CMMC version 1.0 will be in effect for new RFI’s in June of 2020, as well as RFP’s in September of 2020.
What else do you need to know to be prepared for the upcoming final release?
The Department of Defense is clearly quite serious about cybersecurity – and for good reason. It’s vital to protect our data from our adversaries. The DoD is already requiring advanced threat hunting, including fully automated machine-based remediation. This is at the forefront of cybersecurity, so understandably, you can expect them to require a rather comprehensive approach to staying safe.
Need an experienced IT company to help you understand the CMMC? Contact Hampton Roads Communication Technologies at (757) 255-8952. We work with DoD contractors throughout the United States, Mid-Atlantic Region, Hampton Roads Virginia, north into Williamsburg and south into the Outer Banks of North Carolina.
Looking to take a step back and focus on NIST 800-171? Check out our latest post that reviews exactly what you need to know to attain compliance here.