For employers with contracts with the Department of Defense, compliance just went cyber! Cybersecurity, that is. The Department of Defense issued a rule – effective as of November 20, 2020 – to implement heightened cybersecurity requirements, including implementation of the CMMC framework.
What is the CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification.” It is a unifying standard for implementing cybersecurity measures across the Defense Industrial Base. The CMMC was created by the Department of Defense to enhance current cybersecurity measures and to serve as a verification mechanism to ensure that the best cybersecurity practices are being implemented.
The CMMC is comprised of five certification levels that reflect the reliability of a company’s cybersecurity infrastructure. The five levels are tiered, and each level requires compliance with the lower-level requirements and processes. The five certification levels of the CMMC are as follows:
- Basic cybersecurity practices such as antivirus software and employee password policies.
- “Intermediate cyber hygiene” practices to protect any Controlled Unclassified Information through the implementation of the NIST’s security requirements.
- A company must have institutionalized management to implement good cyber hygiene practices to meet the aforementioned requirements.
- A company must have implemented processes for review and measuring the effectiveness of their cybersecurity practices. They must also establish enhanced practices to detect and respond to changing cybersecurity tactics and techniques of advanced persistent threats.
- A company must have standardized and optimized processes in place, across the organization, and additional practices to provide a more sophisticated approach to detecting and responding to advanced persistent threats.
How does the CMMC impact contractors?
Prior to the CMMC, contractors carried the full responsibility of implementing, monitoring, and certifying their technology systems. This included the management, storage, and transmitting of sensitive Department of Defense information, in an age where cybercriminals are constantly launching attacks. As of now, contractors remain responsible for implementing appropriate cybersecurity measures with the CMMC adding a third-party assessment of the contractor’s compliance with certain mandatory practices.
Eventually, all Department of Defense contractors will be required to have a CMMC certification. The Department of Defense has indicated that the prime-level certification requirement will not necessarily be the same certification level required throughout its entire supply chain for the contract. That being said, different certification levels on a single contract have the potential to raise complex implementation concerns for prime and sub-contractors.
Keep Up with Boon!
Have you heard of our bimonthly newsletter? It’s your source for the latest in industry updates and all things Boon! Sign-up and get the highlights, direct to your inbox.