New Security Regulation – Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity Maturity Model Certification

Changes are on the horizon for the Department of Defense (DoD) and its contractors. Late last year, the DoD announced the Cybersecurity Maturity Model Certification (CMMC), which officially released in January. The second phase of CMMC regulations will go into effect this September.

The DoD will implement the CMMC in requests for information (RFIs) starting in June of this year. Requests for proposals (RFPs) are next, seeing this new cybersecurity regulation in September 2020. With this date fast approaching, here’s a closer look at what the CMMC regulations are and what companies can expect.

What Does the CMMC Cover?

The CMMC is a new set of standards required by the DoD, replacing its old framework, the Defense Federal Acquisition Regulation Supplement (DFARS). Instead of establishing one overarching standard, the CMMC regulations include five different levels of certification. If a contractor meets higher levels of CMMC standards, they can bid for more sensitive contracts.

The first level, which the CMMC labels “basic cyber hygiene,” is equivalent to the Federal Acquisition Regulation (FAR). Its requirements include things like:

  • Antivirus software.
  • Ad hoc incident response.
  • Regular password changes.

Level two requires 72 practices, as opposed to level one’s 17. It covers:

  • 48 practices from the NIST SP 800-171 r1.
  • Complete compliance with FAR.
  • Seven additional requirements, like risk management training.

The third level is what the CMMC calls “good cyber hygiene.” It includes:

  • Complete FAR compliance.
  • Complete NIST SP 800-171 r1 compliance.
  • 20 other practices, like multi-factor authentication.

Level four of CMMC regulation includes proactive security measures. It covers 156 practices like:

  • FAR and NIST SP 800-171 r1 compliance.
  • Threat hunting.
  • Data loss prevention (DLT) software.

The fifth and final level of the CMMC is required for the most sensitive contracts. It includes:

  • FAR and NIST SP 800-171 r1 compliance.
  • A security operations center (SOC) that operates 24/7.
  • Real-time asset tracking.

Who Does the CMMC Affect?

These CMMC regulations apply to all contractors working with the DoD, including both prime contractors and subcontractors. If the same organizations keep doing business with the DoD, that means more than 300,000 companies will have to meet these standards. No contractors are exempt from certification.

With previous regulations, companies could self-assess the extent of their security protocols. The CMMC, however, requires audits from certified third parties. These third parties can start their assessments as of June, giving contractors plenty of time to meet CMMC regulations by September.

Changing the Landscape of Cybersecurity

Cybersecurity Maturity Model Certification (CMMC)

The CMMC represents a significant shift in the Government’s stance on cybersecurity. That’s not to say that the government ignored cybersecurity in the past, as regulations like the FAR demonstrate. CMMC regulations, though, go much farther, signifying that the State is taking cybersecurity more seriously.

This increase in security standards is a reactionary measure to rising cyberthreats, some of which the United States government has seen firsthand. Just this February, a DoD data breach might have compromised up to 200,000 service people’s records, like social security numbers. Government organizations are prime targets for cybercriminals, so updated cybersecurity is a must.

Now that the DoD requires higher standards from its contractors, this could cause a broader shift. Private companies could follow suit, asking more of their business partners. If this trend continues, it will lead to a more highly regulated and safer industry.

Robust Cybersecurity Isn’t Optional

It’s no longer an option for companies to pass up on well-rounded cybersecurity measures. As the business world becomes more concerned with cybersecurity, weak points can become economic disadvantages as well. The coming CMMC regulations are likely just the first sign of this broader change.

Requiring higher standards for contractors will improve security for everyone involved. The Cybersecurity Maturity Model Certification is just an answer to changing needs.

By Kayla Matthews

Dinesh Varadharajan
The Future with Automation Many entrepreneurs believe digital technologies will transform the way their companies work. By 2022, the worldwide hyper-automation technology market is expected to be worth $596.6 billion. And by 2055, almost half ...
Mitigation Security
Data scraping solutions When people hear the term data scraping, their first thought is often about how companies use this technology for competitive reasons – specifically to pull publicly-available data from millions of websites in ...
Dmitry Chekalin
How Much Should a Modern Website Cost? A website is a valuable instrument for growing your business. Your website presents your brand to users. Also, it compels your prospects to become your customers. So, how ...
Gilad David Maayan
What is Zero Trust Network Access (ZTNA)? In a zero-trust security model, all user connections are authenticated, and users only receive the access and privileges they need to fulfill their role. This is very different ...
Episode 16: Bigger is not always better: the benefits of working with smaller cloud providers
The benefits of working with smaller cloud providers A conversation with Ryan Pollock, VP Product Marketing and Developer Relationships for Vultr.com - Everyone knows who the big players are in the cloud business. But sometimes, ...
  • Plural Site

    Pluralsite

    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.

  • Isc2

    ISC2

    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary

    Cybrary

    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.