New Security Regulation – Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity Maturity Model Certification

Changes are on the horizon for the Department of Defense (DoD) and its contractors. Late last year, the DoD announced the Cybersecurity Maturity Model Certification (CMMC), which officially released in January. The second phase of CMMC regulations will go into effect this September.

The DoD will implement the CMMC in requests for information (RFIs) starting in June of this year. Requests for proposals (RFPs) are next, seeing this new cybersecurity regulation in September 2020. With this date fast approaching, here’s a closer look at what the CMMC regulations are and what companies can expect.

What Does the CMMC Cover?

The CMMC is a new set of standards required by the DoD, replacing its old framework, the Defense Federal Acquisition Regulation Supplement (DFARS). Instead of establishing one overarching standard, the CMMC regulations include five different levels of certification. If a contractor meets higher levels of CMMC standards, they can bid for more sensitive contracts.

The first level, which the CMMC labels “basic cyber hygiene,” is equivalent to the Federal Acquisition Regulation (FAR). Its requirements include things like:

  • Antivirus software.
  • Ad hoc incident response.
  • Regular password changes.

Level two requires 72 practices, as opposed to level one’s 17. It covers:

  • 48 practices from the NIST SP 800-171 r1.
  • Complete compliance with FAR.
  • Seven additional requirements, like risk management training.

The third level is what the CMMC calls “good cyber hygiene.” It includes:

  • Complete FAR compliance.
  • Complete NIST SP 800-171 r1 compliance.
  • 20 other practices, like multi-factor authentication.

Level four of CMMC regulation includes proactive security measures. It covers 156 practices like:

  • FAR and NIST SP 800-171 r1 compliance.
  • Threat hunting.
  • Data loss prevention (DLT) software.

The fifth and final level of the CMMC is required for the most sensitive contracts. It includes:

  • FAR and NIST SP 800-171 r1 compliance.
  • A security operations center (SOC) that operates 24/7.
  • Real-time asset tracking.

Who Does the CMMC Affect?

These CMMC regulations apply to all contractors working with the DoD, including both prime contractors and subcontractors. If the same organizations keep doing business with the DoD, that means more than 300,000 companies will have to meet these standards. No contractors are exempt from certification.

With previous regulations, companies could self-assess the extent of their security protocols. The CMMC, however, requires audits from certified third parties. These third parties can start their assessments as of June, giving contractors plenty of time to meet CMMC regulations by September.

Changing the Landscape of Cybersecurity

Cybersecurity Maturity Model Certification (CMMC)

The CMMC represents a significant shift in the Government’s stance on cybersecurity. That’s not to say that the government ignored cybersecurity in the past, as regulations like the FAR demonstrate. CMMC regulations, though, go much farther, signifying that the State is taking cybersecurity more seriously.

This increase in security standards is a reactionary measure to rising cyberthreats, some of which the United States government has seen firsthand. Just this February, a DoD data breach might have compromised up to 200,000 service people’s records, like social security numbers. Government organizations are prime targets for cybercriminals, so updated cybersecurity is a must.

Now that the DoD requires higher standards from its contractors, this could cause a broader shift. Private companies could follow suit, asking more of their business partners. If this trend continues, it will lead to a more highly regulated and safer industry.

Robust Cybersecurity Isn’t Optional

It’s no longer an option for companies to pass up on well-rounded cybersecurity measures. As the business world becomes more concerned with cybersecurity, weak points can become economic disadvantages as well. The coming CMMC regulations are likely just the first sign of this broader change.

Requiring higher standards for contractors will improve security for everyone involved. The Cybersecurity Maturity Model Certification is just an answer to changing needs.

By Kayla Matthews

Bruce Guptill

How CFOs and CIOs See Finance Management Priorities

Cloud and the Finance-IT Effectiveness Gap IT leaders today tend to be much better aligned with business and operational leaders and business goals than they ...
Fahim Kahn

The 5 Biggest Hybrid Cloud Management Challenges—And How to Overcome Them

Hybrid Cloud Management Challenges The benefits of the cloud—reduced costs, greater IT flexibility, and more—are well-established. But now many organizations are moving to hybrid cloud ...
Karen Gondoly

You Don’t Need Cloud Desktops, You Need Cloud-Based VDI. Here’s Why

Cloud Desktops / Cloud-Based VDI Virtual Desktop Infrastructures (VDI) have been around for a while. As an example, VMware started selling their first VDI product ...
Mark Casey Apcela

Why CloudHubs are an Important Ingredient to Optimizing Performance of Cloud-based Applications

CloudHubs - Optimizing Application Performance It may seem hard to believe, but even in this day and age, there are still some enterprises that are ...
Tunio Zafer

Questions To Ask Every Cloud Storage Provider

Cloud Storage Provider Questions As with many new technologies, attitudes toward cloud storage vary. Telephones were immobile; wearables perhaps unwarranted. And now, the global cloud ...
Flexiant Tony Lucas

There Are Still Opportunities For Service Providers

Opportunities For Service Providers Service providers (SPs) still have a golden, but short-lived opportunity to commercialize the $266.4 billion cloud services market before AWS and others ...
Holiday Photos.png