The Cybersecurity Maturity Model Certification (CMMC) is a program initiated by the United States Department of Defense (US DoD) to secure the Defense Industrial Base (DIB). The program provides a unified standard for cybersecurity aimed at protecting defense information and supplier information systems, in addition to preventing United States adversaries from manipulating, destroying, or stealing defense information or compromising US DoD Systems through the supply chain.
Previous Defense Federal Acquisition Regulation (DFAR) requirements have allowed the DIB to self-certify compliance with NIST 800-171 for protecting Controlled Unclassified Information (CUI). CMMC is a multi-tiered maturity model with multiple levels that requires third party certification. It will include five levels with level one being the least acceptable level of cyber hygiene up to level 5, which designates that the organization is employing state of the art agile security and defensive measures to protect against cyberattacks and insider threats.
The CMMC is currently managed by the Office of the Under Secretary of Defense for Acquisition and Sustainment. The initial draft for the model was published in 2019 and was ratified in 2020. In September of 2020 the CMMC Accreditation Body achieved an important milestone in the initial training of provisional assessors. Based on this and the proposed published timeline starting in April of 2021 there will be a live ecosystem of assessors. All US DoD RFP’s will mandate a CMMC level from 1-5 and this will affect prime contractors as well as suppliers to prime contractors in contract flow downs.
If you are a supplier to the US DoD, you can learn more about CMMC, how to cost effectively comply with NIST 800-171, and achieve an appropriate maturity level to continue conducting business with the DoD.
When is it coming?
The US DoD’s Cybersecurity Maturity Model Certification (CMMC) is scheduled to roll out in 2021. This means organizations that wish to do business with the Department of Defense as a prime contractor, subcontractor, or supplier must implement the systems and controls necessary, as well as get certified. This is the perfect time to learn more about what CMMC is and how it will affect your organization. You may need to make changes to your information systems so it is important to plan and budget now since US DoD RFPs will mandate a minimum CMMC level in order to bid on proposals.
Why is it necessary?
Why is the Pentagon requiring the Defense Industrial Base (DIB) to follow this new CMMC? The US DoD believes that our adversaries are weakening the defenses and offensive capabilities of the United States and our allies through their supply chain. Our adversaries can degrade our capabilities to defend the United States through the information systems of US DoD suppliers, because they often have access to critical pieces of weapon systems. While they may or may not have access to all of the plans for a particular weapon system, our adversaries can put the entire plan together by stealing it from multiple suppliers. They can degrade the capability or weaken a weapon system by manipulating the build plans within a supplier, which will create an inferior product or introduce a vulnerability that can be exploited at a time of an adversary’s choosing.
Ever wonder why our enemies have jets and other weapons that closely resemble those developed by the United States? Maybe they copied the plans. This tactic allows them to copy advanced weapon systems without having to make large investments, which degrades our strategic advantage.
And it isn’t just weapon systems that are at risk. Our adversaries are interested in stealing basic research from our advanced institutions and laboratories. They can use this information to advance their own programs and even compete in the commercial marketplace and circumvent patents around our intellectual property.
Protect your critical sensitive data against theft, manipulation, and destruction.
Why it is important for you and your suppliers to do it?
Without meeting the minimum CMMC level specified in the US DoD RFP, you will no longer be able to compete for their business. If your organization or your suppliers aren’t compliant or are negatively affected by a cyberattack, it will disrupt your supply chain. That disruption will result in potential loss of profits, poor performance ratings and loss of future contracts and contract eligibility.
How to prepare
The US DoD is mandating a CMMC compliance level for organizations to be able to participate in the procurement process. As IT decisions are being made in your organization ahead of accreditation requirements it is important to make sure you future proof your investment by choosing solutions that will make compliance with CMMC possible and easy. Visit RackTop’s CMMC readiness page so you can prepare and execute a plan that is tractable and cost effective for your organization. When done correctly with the right partner, meeting the appropriate CMMC will yield a larger return on investment.