New Security Regulation – Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity Maturity Model Certification

Changes are on the horizon for the Department of Defense (DoD) and its contractors. Late last year, the DoD announced the Cybersecurity Maturity Model Certification (CMMC), which officially released in January. The second phase of CMMC regulations will go into effect this September.

The DoD will implement the CMMC in requests for information (RFIs) starting in June of this year. Requests for proposals (RFPs) are next, seeing this new cybersecurity regulation in September 2020. With this date fast approaching, here’s a closer look at what the CMMC regulations are and what companies can expect.

What Does the CMMC Cover?

The CMMC is a new set of standards required by the DoD, replacing its old framework, the Defense Federal Acquisition Regulation Supplement (DFARS). Instead of establishing one overarching standard, the CMMC regulations include five different levels of certification. If a contractor meets higher levels of CMMC standards, they can bid for more sensitive contracts.

The first level, which the CMMC labels “basic cyber hygiene,” is equivalent to the Federal Acquisition Regulation (FAR). Its requirements include things like:

  • Antivirus software.
  • Ad hoc incident response.
  • Regular password changes.

Level two requires 72 practices, as opposed to level one’s 17. It covers:

  • 48 practices from the NIST SP 800-171 r1.
  • Complete compliance with FAR.
  • Seven additional requirements, like risk management training.

The third level is what the CMMC calls “good cyber hygiene.” It includes:

  • Complete FAR compliance.
  • Complete NIST SP 800-171 r1 compliance.
  • 20 other practices, like multi-factor authentication.

Level four of CMMC regulation includes proactive security measures. It covers 156 practices like:

  • FAR and NIST SP 800-171 r1 compliance.
  • Threat hunting.
  • Data loss prevention (DLT) software.

The fifth and final level of the CMMC is required for the most sensitive contracts. It includes:

  • FAR and NIST SP 800-171 r1 compliance.
  • A security operations center (SOC) that operates 24/7.
  • Real-time asset tracking.

Who Does the CMMC Affect?

These CMMC regulations apply to all contractors working with the DoD, including both prime contractors and subcontractors. If the same organizations keep doing business with the DoD, that means more than 300,000 companies will have to meet these standards. No contractors are exempt from certification.

With previous regulations, companies could self-assess the extent of their security protocols. The CMMC, however, requires audits from certified third parties. These third parties can start their assessments as of June, giving contractors plenty of time to meet CMMC regulations by September.

Changing the Landscape of Cybersecurity

Cybersecurity Maturity Model Certification (CMMC)

The CMMC represents a significant shift in the Government’s stance on cybersecurity. That’s not to say that the government ignored cybersecurity in the past, as regulations like the FAR demonstrate. CMMC regulations, though, go much farther, signifying that the State is taking cybersecurity more seriously.

This increase in security standards is a reactionary measure to rising cyberthreats, some of which the United States government has seen firsthand. Just this February, a DoD data breach might have compromised up to 200,000 service people’s records, like social security numbers. Government organizations are prime targets for cybercriminals, so updated cybersecurity is a must.

Now that the DoD requires higher standards from its contractors, this could cause a broader shift. Private companies could follow suit, asking more of their business partners. If this trend continues, it will lead to a more highly regulated and safer industry.

Robust Cybersecurity Isn’t Optional

It’s no longer an option for companies to pass up on well-rounded cybersecurity measures. As the business world becomes more concerned with cybersecurity, weak points can become economic disadvantages as well. The coming CMMC regulations are likely just the first sign of this broader change.

Requiring higher standards for contractors will improve security for everyone involved. The Cybersecurity Maturity Model Certification is just an answer to changing needs.

By Kayla Matthews

Sangeeta Chhabra

What Accountants Should Know About The Cloud

Cloud Accounting Cloud technology has been at the top of the charts of new-age technologies for a long time now. Almost every industry in the world has started realizing its capabilities and integrating cloud strategies ...
Bittitan

Episode 6: Cloud Migration: Why It’s More Important Than Ever

The Importance of Cloud Migration Moving fully to the cloud is still a concern for many companies, but with millions of employees working from home, there’s an even greater need to migrate. Mark Kirstein, VP ...
Rajesh Khanna

How to Re-imagine DSP’s Contact Centers with Intelligent Process Automation

Intelligent Process Automation Enable agents to work smarter, reduce call volume, and improve efficiency The current state of Digital Service Providers’ (DSPs) manual or semi-automated contact centers is no more enough to provide customer delight, ...
Tesla Twitter

The Tesla Story The World Is Ignoring

The Tesla Story The World Is Ignoring Bugatti is one of the most recognized names among luxury supercars. After the founder Ettore Bugatti died, the company nearly disappeared in 1952. Until Italian businessman Romano Artioli ...
Jen Klostermann

Telemedicine to medical smartphone applications

Telemedicine to medical smartphone applications With the current and growing worldwide concerns regarding the Coronavirus (COVID 19). Telemedicine is more important now than ever. What are some of the key areas in the coming years ...
Digitizing Contact Center to Reduce Call Volume by 30% and Improve NPS

Digitizing Contact Center to Reduce Call Volume by 30% and Improve NPS

Digitizing Contact Center With a Net Promoter Score (NPS) average of 24, telecom holds the lowest industry average according to the NPS Benchmarks Report. Operational inefficiencies in contact centers play a major role in the low ...