Starting this year (in 2020) The United States Department of Defense is rolling out the Cybersecurity Maturity Model Certification (or CMMC.) The CMMC is a certification standard aimed at contractors to strengthen their cybersecurity protocols.
Many contractors have historically had weak cybersecurity practices, which is a danger to the entire country when they are working on sensitive projects contracted by the DOD. The CMMC was created to address these security concerns.
Here are some points businesses will need to watch out for as these new standards start to take effect.
The CMMC Rollout Will Be Gradual, but Will Eventually Affect All DOD Contractors.
At the moment, the CMMC won’t apply to currently existing contracts. The current standards these contractors are under today will still be in effect tomorrow.
Between June and September 2020, the first round of CMMC audits will start for individual contractors working on more sensitive projects. Once October 2020 comes around, all DOD contractors will need to have CMMC certification before they can bid on a DOD project in any capacity.
The CMMC Accrediting Body Will Assign Third-Party Assessing Organizations to Give Assessments.
The CMMC Accrediting Body is working to define its roles and responsibilities to prevent any conflicts of interest from arising for how these third-party organizations can get certified themselves. Third-party accrediting organizations will then be selected and trained to certify businesses that require it.
There Are Five Levels of CMMC Certification.
Level 1 CMMC certification includes basic cybersecurity practices, such as having anti-malware installed on all office computers, using strong passwords, and updating their software regularly. You should already be doing this anyway, so achieving level 1 certification should be no problem.
Level 2 CMMC certification demands that you use more advanced cybersecurity protocols. You must be able to prevent attacks more effectively than a level 1 rated organization. This certification level also requires that you document your security protocols and how they’re maintained.
Level 3 certified organizations show they can implement security controls that are required under NIST SP 800-171. The contractor will need to show they can meet most threats and keep their information secure.
To reach Level 4 certification, your organization will need to show that it can protect Controlled Unclassified Information (CUI) by continually updating its security protocols. The organization will also need to review the effectiveness of their security protocols.
Level 5 certification shows that you are capable of meeting the most advanced threats. To reach level 5, this heightened security protocol must be standard across your entire organization.
The DOD understands that strong cybersecurity is critical to national security. To work with the DOD on any projects in the future, you will need to get CMMC certified as your organization’s top priority.