CMMC: The CyberSecurity Maturity Model Certification.

Photo by mindfrieze

According to the latest security practices, a supply chain is only as strong as its weakest link, and the growth of security incidents has prompted the government to act on this threat. The cyber threat from foreign adversaries, hackers, and criminals presents significant and new risks to government and industry. Constant, targeted, and well-funded attacks by malicious actors threaten government and industry alike by way of their contractors, subcontractors, and suppliers at all tiers of the supply chain. Sophisticated threat actors exploit vulnerabilities deep in supply chains as a beachhead from which they can gain access to sensitive and proprietary information further along the chain.

Because of those reasons, the DoD is working on launching a new cybersecurity compliance requirement for all companies that conduct business with the federal government, the CMMC. The new certification model has been designed with several familiar cybersecurity requirements in mind, but it’s also an attempt to get a better handle on the defense supply chain.

“Every company within the DoD supply chain — not just the defense industrial base,  but the 300,000 contractors — are going to have to get certified to do work with the Department of Defense”

Katie Arrington, chief information security officer for DoD’s Office of the Assistant Secretary of Defense for Acquisition.

The model covers 18 domains based on five levels.

“To bid on a contract or perform you have be at maturity level 3, or you can’t perform, we understand that, and we think that’s a good thing”. “

Scott Rush, Lockheed’s deputy chief information security officer, said that building the maturity model into the acquisition process makes sense, he’s hoping to see more uniform, common cybersecurity standards across the Defense enterprise. What we would rather not see happen because we think it would dampen collaboration, is if it becomes part of the evaluation criteria.

The challenge is that over 75% of small businesses don’t have a proven plan to protect them against hacking, Phishing, and Ransomware. A single incident can cost a company more than $100,000 in lost revenue, recovery costs, damage to their reputation, and/or regulatory fees. Some of the current and upcoming regulations that businesses are required to comply with include NIST 800-171, ISO 27001, and soon the new CMMC.

If you have any questions about cybersecurity or how can we help you address your company cybersecurity regulatory needs contact us using the form below.