The US Department of Defense (DoD) released the first version of the Cybersecurity Maturity Model Certification (CMMC) on 31 January 2020. CMMC is the latest in a long line of Defense Industry security standards dating all the way back to the early 2000’s. Terms like DITSCAP, DIACAP, ITAR, DFARS, and more recently the Risk Management Framework (RMF) are all defense-industry related security standards. These standards were developed at different times, some supplanted older standards, and many of these standards were intended for different audiences. (For example, the RMF focused on Department of Defense IT).
CMMC was developed after DoD contractors suffered a string of data breaches, despite the rolling out of NIST 800-171 compliance . However, under NIST 800-171, DoD contractors had the option of self-certifying and, as long as any security gaps were identified and listed in the Plan of Actions and Milestones, contractors were allowed to continue providing products and services without achieving compliance with all the NIST 800-171 security controls. Subsequent audits of “compliant” DoD contractors concluded that compliance was more of a myth than a fact. This was in part driven by the “self-certification” model, as well as the “loophole” that gave contractors the ability to create a “plan” versus ensuring a capability was actually effective.
CMMC represents an evolution towards a risk and capability-based approach to security controls and a migration away from “yes/no” checklists and static remediation plans. The idea is simple: Based upon the information you process as a member of the Defense Industrial Base, your requirements for security controls will vary. This concept represents the DoD aligning with how other industries have built security programs for years (i.e., Financial Services & Healthcare).
With CMMC, both self-certification and Plans of Actions and Milestones have been eliminated. Companies will need to address their security weaknesses before they can achieve compliance and certification. The CMMC Advisory Board was formed to certify auditors who will then be responsible for third-party CMMC compliance assessment of DoD contractors.
There are over 250,000 companies in the Defense Industrial Base (DIB), including contractors and subcontractors. By 2025 all DoD suppliers will need to achieve at least Level 1 CMMC compliance.
The CMMC model includes five levels, each with a corresponding set of practices and processes. The DoD requires contractors to meet both the associated practices and the given processes to achieve each specific CMMC level.
Contact Nuspire to help your organization meet its compliance and Incident Response Planning.