If you want to work with the Department of Defense, you may be asking, “What is Cybersecurity Maturity Model Certification (CMMC) for defense contractors?” Cybersecurity Maturity Model Certification is a new requirement for defense contractors to ensure they maintain an adequate level of cybersecurity to prevent criminals from accessing Controlled Unclassified Information (CUI).
Share our infographic on social media or copy and paste the code below to embed it on your website:
<img src="http://bit.ly/5LevelsOfCMMC"> <p>The 5 Levels of Cybersecurity Maturity Model Certification (CMMC) - An infographic by the team at <a href="https://www.entrustsolutions.com/">Entrust Solutions</a></p>
Contractors working with the Department of Defense will no longer be able to simply self-evaluate their cybersecurity systems. Instead, the DoD will require defense contractors to achieve CMMC compliance by having an accredited third-party organization appraise and certify them. This independent third-party certifier will award the contractor a specific CMMC ranking for their cybersecurity system, with 1 representing a more basic cybersecurity setup and 5 representing the most advanced.
The Cybersecurity Maturity Model Certification (CMMC) for defense contractors was officially released just last month. Ever since, businesses like Entrust Solutions that handle intel from the Department of Defense are working hard to understand and pursue CMMC compliance. Beginning in June 2020, contractors will start to see a specific CMMC level requirement on each DoD contract.
If you are a business partnered with the DoD, or you hope to become one, it’s crucial you understand the new Cybersecurity Maturity Model Certification and how to meet CMMC compliance standards before summer arrives.
Who Will Be Affected (and When)?
Wondering if and when you may be affected by the Cybersecurity Maturity Model Certification? Check these fast facts about CMMC compliance:
- The Cybersecurity Maturity Model Certification will affect all defense contractors who handle Controlled Unclassified Information, or sensitive information that the contractor possesses, manages, or creates for the DoD.
- The CMMC will be required for all contractors and subcontractors, no matter how small their business or their exact position within the supply chain.
- There are currently no exceptions to certification requirements, even for non-traditional solicitations or vendors.
- The Cybersecurity Maturity Model Certification may eventually be applied to all third parties handling sensitive government documents. At present, however, CMMC compliance is required only for those defense contractors who work with the DoD.
- In January of this year, Version 1.0 of the CMMC framework was released.
- In June 2020, CMMC compliance requirements should begin appearing in the Requests for Information of DoD contracts.
- Cybersecurity Maturity Model Certification will only be necessary for new contracts.
What Is Required by the Cybersecurity Maturity Model Certification (CMMC) for Defense Contractors?
The CMMC specifies five distinct cybersecurity levels for all partnered defense contractors, with level 1 being the lowest level of security and 5 the highest. The five levels are designed to make sure that each contractor has the necessary cybersecurity measures in place to protect the DoD’s sensitive documents. These function similarly to security clearance levels, but for Controlled Unclassified Information as opposed to classified information.
Depending on the defense contractor’s role with the DoD, they may need more or less advanced cybersecurity measures in place. This new tiered system also helps smaller companies to put effective cybersecurity measures in place without breaking their budgets.
The five levels of certification for defense contractors evaluate cybersecurity measures in a number of areas, such as access control, incident response, media protection, and personnel security. Each level requires contractors to meet a certain number and type of security standards in order to manage the Department of Defense’s CUI:
- Level 1, otherwise known as Basic Cyber Hygiene, covers basic cybersecurity measures that smaller businesses need to implement to work with the DoD. Level 1 mandates that defense contractors have 35 security controls in place in order to meet CMMC compliance, such as authenticating the identities of authorized users and monitoring organizational communications for suspicious activity.
- Level 2, also called Intermediate Cyber Hygiene, is for third parties contracted with the DoD that require additional cybersecurity measures, like using encryption to manage network devices. Level 2 demands that defense contractors meet 115 security standards—in addition to the basics expected in Level 1.
- Level 3, or Good Cyber Hygiene, calls for a more comprehensive approach to cybersecurity. Required cybersecurity measures include implementing cryptography mechanisms to protect data during transfers, testing the organizational incident response capability, and protecting audit information from unauthorized access. Level 3 demands 91 security controls, in addition to those specified in Levels 1 and 2.
- Level 4 is the Proactive Level. This level incorporates advanced cybersecurity measures aimed at identifying and addressing security risks before attacks occur. One such strategy is employing threat intelligence to inform the development of the system and security architectures. Companies with this clearance must also be capable of operating their reactive, or defensive, cybersecurity measures at machine speed. Level 4 requires an additional 95 security controls.
- Level 5 is the Advanced/Progressive Level, and the highest tier of CMMC compliance. Requiring an additional 34 controls, the Advanced/Progressive Level demands that DoD defense contractors use cybersecurity techniques such as mitigating risks of unidentified wireless access points, performing unannounced operational exercises to demonstrate technical and procedural responses, and enforcing port and protocol compliance.
What Makes CMMC Compliance Different?
One of the main differences between the Cybersecurity Maturity Model Certification requirements and previous requirements is that defense contractors can no longer simply assess their own cybersecurity abilities.
An independent third-party certifier is now required to appraise a defense contractor’s cybersecurity system in order for that contractor to work with the DoD. This helps to ensure that the Controlled Unclassified Information that contractors are responsible for stays out of the hands of cybercriminals.
The other main difference between CMMC compliance and previous standards, such as NIST SP 800-171 and NIST SP 800-53, is that CMMC provides a unified standard for the cybersecurity measures of all DoD defense contractors. Furthermore, CMMC presents a tiered system, acknowledging that different types of contractors working with the DoD require different levels of cybersecurity, depending on the type of CUI being handled and the particulars of the contract work.
Why Were These New Requirements Created?
As a defense contractor, it is important to stay aware of recent government contracting industry trends in IT. Technological advancements are constantly changing how we do business, even with the government. When you understand why new policies or trends are gaining traction, you can put yourself in a better position to successfully navigate these shifts.
More and more, companies today are seeing the need for cybersecurity to support business intelligence. Government entities have access to unclassified information that is just as sensitive, making tighter security a necessary priority for them as well.
Cybercriminals who gain access to CUI can wreak havoc on both economic and national security. The right information could give these criminals the ability to upset our national defense system, foreign relationships, and finances. An official report from the White House states that in 2016, cyberattacks cost the U.S. economy between $57 billion and $109 billion.
According to a 2018 study from the Center for Strategic and International Studies (CSIS) and McAfee, nearly $600 billion is lost worldwide to cybercrimes every year. To put that into perspective, it is almost 1% of the global GDP, and it is an over $150 billion increase from McAfee’s 2014 report. Given the recent string of ransomware attacks on government bodies, from the Louisiana state government to multiple departments in Greece’s government, the impact of cybercriminals on the global economy has surely only increased.
The DoD October 2018 Data Breach
In recent years, the Department of Defense has also suffered from several security breaches, including a massive DoD data breach in October 2018. During this attack, hackers managed to obtain personal information, including social security and credit card numbers, of at least 30,000 personnel, both military and civilian.
Rather than attacking the Department of Defense directly, the hackers gained access to this sensitive information by infiltrating the cybersecurity system of a defense contractor that worked with the DoD. This third party managed travel records—a particularly valuable line of data for cybercriminals, as it gives them detailed employee travel records, including airplane seat numbers. If this type of data were to fall into the wrong cybercriminals’ hands, it could lead to an act of terrorism.
The data breach was discovered in early October of that year, but there is no telling how long the hackers were there. Cybercriminals often go undetected within a network for months at a time, so the hackers could have been accessing the DoD’s information for much longer.
In fact, the average business takes 191 days to detect the presence of a cybercriminal in their network. Hackers are able to accomplish this by moving laterally, or sideways, through a business’ or government’s network, gaining access to more and more network keys as they travel.
These significant cybercrimes underscored the need for the Department of Defense to maintain excellent cybersecurity techniques for not only their own networks, but also the networks of all organizations with which they partner. Leaving defense contractors to self-assess and self-report on their cybersecurity abilities was clearly not adequate. Nor was it sufficient to have a series of different cybersecurity standards confusingly spread across several different mandates.
By creating a unified standard of cybersecurity requirements for all businesses partnered with the DoD, the Cybersecurity Maturity Model Certification (CMMC) for defense contractors can better protect sensitive data from falling into the wrong hands.
Contact Us About Cybersecurity Maturity Model Certification (CMMC) for Defense Contractors
At Entrust Solutions, we understand the complexity of ensuring your business is up to date with the latest government-mandated cybersecurity standards. We are here to help make sure that your cybersecurity measures are up to par with the CMMC compliance level you need to work with the Department of Defense.
Currently, Entrust Solutions is working to become a CMMC third-party certifier, meaning that our company will be able to assess your business’ cybersecurity protocols. After we have awarded you the appropriate Cybersecurity Maturity Model Certification level, your business will be cleared to handle sensitive data from the Department of Defense.
Looking for a partner? We are also working to achieve our own CMMC certification for DoD contracts. Entrust Solutions can act as either prime contractor or subcontractor, depending on the circumstances. We are always looking to create more long-lasting, mutually beneficial partnerships to win and fulfill government contracts.
Whether you want to know more about working with us or how we can help your company meet CMMC compliance standards, contact Entrust Solutions today. Start working on gaining the CMMC level you need for your defense contractor business now, before these requirements are fully enacted this summer.