At the end of January 2020, the U.S. Department of Defense (DoD) approved the Cybersecurity Maturity Model Certification (CMMC) with plans to apply this new standard to up to 3,000 subcontractors by the end of 2020. Unlike prior self-attestation methods, this new model requires external assessments.
To prepare for the CMMC, organizations should begin to immediately map their policies and associated procedures against both the Center for Internet Security Critical Security Controls (CSC) and NIST 800-171. The appendixes of the CMMC are a great resource and show how each requirement can be satisfied in a clear and concise manner. Smaller businesses will likely need to only meet CMMC level one or two, while larger businesses or those that handle Controlled Unclassified Information (CUI) will need to achieve level three or higher.
The intent of mapping requirements to existing procedures and policies is to identify and then begin to remediate any gaps between what’s required and what’s done, while there is still time to take corrective action. Otherwise, businesses in the supply chain have substantial regulatory and revenue risk, as prime and subcontractors found not to not be in compliance won’t be allowed to bid or participate in DoD contracts.
About the Author: Kayne McGladrey is a spokesperson for the Institute of Electrical and Electronics Engineers (IEEE) and works with organizations and individuals to understand the current best practices and risk-based approaches to managing cyber threats.