The Defense Department is hoping for wide adoption of its new Cybersecurity Maturity Model Certification (CMMC) program across the defense industrial base.
The CMMC program is designed to improve the cybersecurity posture of contractors who work with the Department of Defense (DoD). It will do this by requiring contractors to implement specific cyber hygiene practices and controls that are appropriate for the level of sensitivity of the information they possess. The CMMC certification process will be overseen by independent assessors, who will certify that contractors have implemented the required controls.
The CMMC program is still in its early stages, and it will take some time for it to be fully implemented. In the meantime, there are ten things that businesses should know about the current state of CMMC.
- The CMMC program is voluntary for contractors: Contractors are not required to participate in the CMMC program. However, the DoD has said that it will give preference to contractors who are certified under CMMC when awarding contracts.
- The CMMC program is not yet mandatory for contractors: The DoD has said that it plans to make CMMC certification mandatory for all contractors that work with it. However, this has not yet been implemented.
- There are five levels of CMMC certification: The levels range from Basic Cyber Hygiene (Level 1) to Advanced/Progressive (Level 5). The level of certification that a contractor needs will depend on the sensitivity of the information they will be handling.
- Certification is granted by independent assessors: The CMMC program will be overseen by independent assessors, who will certify that contractors have implemented the required controls.
- The CMMC program is still in development: The program is still in its early stages, and it will take some time for it to be fully implemented and for all the kinks to be ironed out.
- There is no one-size-fits-all solution: The controls that contractors will be required to implement will vary depending on the level of CMMC certification that they are seeking.
- The program is flexible: The CMMC program is designed to be flexible, so that it can evolve as the threat landscape changes.
- Certification is not a silver bullet: While CMMC certification will improve the cybersecurity posture of contractors, it is not a guarantee that they will never be breached. Contractors must still implement other security measures, such as encrypting data and using two-factor authentication.
- The DoD is committed to the program: The DoD has said that it is committed to the CMMC program, and that it will continue to work with contractors to ensure its success.
- The CMMC program is open to feedback: The DoD is soliciting feedback from industry on the CMMC program. Interested parties can provide input through the CMMC Accreditation Body website.
The CMMC program is still in its early stages, but it is already clear that it has the potential to make a positive impact on the cybersecurity posture of contractors. Businesses should start to familiarize themselves with the program and its requirements, so that they can be prepared when it is eventually made mandatory.