Recently, a member from Women in Tech NJ & NY shared a new cybersecurity requirement for government contractors, which may impact suppliers in our community. The Cybersecurity Maturity Model Certification (CMMC) framework will be a requirement for some companies to bid on a Department of Defense (DoD) contract. The CMMC Accreditation Body (CMMC-AB) establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the CMMC program. According to the CMMC-AB (www.cmmc-ab.org), the goal is to prevent sensitive data from being stolen by adversaries from the 300,000 DoD contractors and subcontractors. The two key types of information DoD wants to protect are Controlled but Unclassified Information (“CUI”) and Federal Contract Information (“FCI”). The main concerns of DoD include a) theft and use of this information against the national security interests of the United States and b) theft of intellectual property that results in an estimated $600 billion loss to the U.S. economy.
How did we get here?
A cybersecurity risk management function within an organization is vital to safeguarding customer data, minimizing remediation costs, and protecting a company’s critical infrastructure systems. The National Institute of Standards and Technology (NIST) developed Framework Version 1.0 under Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity” (February 2013), which provided much needed guidance. The framework used a common language to address and manage cybersecurity risk in a cost-effective way based on business and organizational needs without placing additional regulatory requirements on businesses. To better address these risks, the Cybersecurity Enhancement Act of 2014 (CEA) updated the role of the NIST to include identifying and developing cybersecurity risk frameworks for voluntary use by critical infrastructure owners and operators, resulting in Version 1.1. The structure of the framework is categorized by five core functions; Identify, Protect, Detect, Respond, Recover, and 23 additional sub-categories as a foundation to cybersecurity risk management.
CMMC Framework Overview
Cybersecurity Maturity Model Certification (CMMC) framework consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the Defense Industrial Base sector (DIB) and Department of Defense (DoD) stakeholders. The DIB sector consists of over 300,000 companies. The CMMC framework measures cybersecurity maturity with 5 Levels, 17 Domains, 43 Capabilities, and 171 Practices. It has been determined that by 2025 all DoD Suppliers need CMMC-AB Certification, which allows the organization to bid on DoD contracts up to the identified maturity level. In order to change status from Supplier to a CMMC Certified Supplier the CMMC-AB Assessment must be conducted by a Third-Party Assessor Organization and Certified Assessors. The CMMC-AB Certificate is valid for 3 years.
The CMMC initiative is still under development and there are currently no Third-Party Organizations that can officially grant an CMMC certification, however, it is still important to prepare for an upcoming cybersecurity audit. During this COVID-19 era, Suppliers can start working toward compliance by reviewing the National Institute of Standards and Technology Special Publication 800-171 controls in preparation for the upcoming release of CMMC. Contacting a cybersecurity risk management advisor for a pre-assessment is key to understanding deadlines and remediation requirements. Keep in mind that acquiring a Third-Party Assessor in the future may require external funding sources to cover the cost as well as cybersecurity insurance.
About Cathy C. Smith
Cathy C. Smith, CEO of Chameleon Consulting, is a Digital Business Transformation Advisor, Author, and Founder of Women in Tech NJ & NY. She advises Executives, Board of Directors, Management Consulting Firms, and Professionals on cybersecurity risk management strategies to thrive in the digital economy. She shares best practices in her published book titled “How to Become a Digital Leader: A Roadmap to Success.” She invites readers to follow her on Twitter at @CathyCSmith and visit her website at www.chameleonconsultingllc.com.