More than ever before, cybersecurity is vital, especially for defense contractors. There are plenty of hackers out in cyberspace, creating data breaches, spreading viruses, and creating havoc. When national security is at stake, the best possible protection is necessary. This is the purpose of assessor certification programs and frameworks such as Cybersecurity Maturity Model Certification. The National Institute of Standards and Technology publishes these standards and any firms that serve as defense contractors must strictly adhere to them. Failure to do so could result in disastrous consequences.
History of CMMC
Defense contractors must face and pass a periodic CMMC audit. National standards for cybersecurity began in 2002 when the Federal Information Security Management Act was passed. This required all agencies of the federal government to develop programs to protect the safety of data and data systems. Working with the National Institute of Standards and Technology, the National Science Foundation began to develop the standards that would become CMMC. New programs were established and the Secretary of Commerce worked to increase funding for existing programs. The path to CMMC was an ongoing one with many steps over a number of years.
Start of CMMC
In 2019, the Department of Defense announced the creation of CMMC. The transition had been mandated n 2017 after a series of breaches in the supply chain demonstrated the need for updated standards and protocols used to govern the Defense Industry Base. At that time all self-assessment and reporting of cybersecurity preparedness became a requirement for all defense contractors. There are five levels of cybersecurity maturity for the defense industry. Each has higher standards that a company must pass for certification. They are:
- Basic Cyber Hygiene – This level has 17 security controls.
- Intermediate Cyber Hygiene – This level has 46 security controls.
- Good Cyber Hygiene – This level has 47 security controls.
- Proactive – This level has 26 security controls.
- Advanced/Progressive – This level has 4 security controls.
The levels are cumulative so in order to achieve a particular level, a company must be in full compliance with all security controls of the lower levels as well as the one it is currently seeking.
The DoD published an interim rule in the Federal Register in September 2020. The rule stated the DoD’s vision for CMMC, as well as outlined its assessments, framework, and methods of implementation. The rule went into effect and began a five-year phase-in period in November of that year. In November 2021, the DoD announced an updated set of requirements and structure which took CMMC to version 2.0. This new version streamlines the model from five levels to three as well as increases oversight of the standards of third parties and decreases the cost of assessment. Version 2.0 also has greater flexibility. All defense contractors must now follow the standards and procedures outlined in CMMC 2.0.
Cybersecurity is extremely important. Companies that are part of the defense supply must be especially careful to avoid data breaches. CMMC 2.0 is designed to ensure all defense contractors follow the same standards to protect sensitive data.
For more valuable information visit this website