Advanced cybersecurity for defense contractors is under a new magnifying glass: the Cybersecurity Maturity Model Certification. As well as being a completely new way of assessing and granting certification for prime and sub contractors, it could be a clear indicator that compliance within global cybersecurity is taking a giant leap for all of us.

What is CMMC?

CMMC is a new security framework for Department of Defense (DoD) contractors, designed to rigorously assess just how secure these companies keep sensitive defense facts and information, otherwise known as Controlled Unclassified Information (CUI). Although CMMC has been in development for some time, full details were only released at the start of 2020; a time of intense change already.

CMMC works on the basis that cybersecurity is holistic and ever-changing. It’s about more than just providing the right firewalls or server protection. It includes the awareness of staff within the company, risk assessment, and even physical security. Poor building security could allow the wrong people to view information not meant for their eyes.

What’s Changing?

It’s not about simply hitting targets or demonstrating a certain level of enterprise security across various platforms. CMMC involves a third-party assessor who looks at 17 aspects within the cybersecurity domain. These include access control, asset management, awareness and training, audit and accountability, personnel security, recovery, risk management and so much more.

Gaining a certificate in CMMC involves proving that your system has a level of maturity in each of the required domains. An assessor will also check that each of the domains integrates and works together to create a truly robust and secure outlook. 

CMMC contains five levels, a “level 1” certificate means that whilst security is adequate, it is basic. It might run ad-hoc with limited reporting and documentation. A “level 5” certificate shows that the assessor found highly advanced cybersecurity practices in place. This may include continuous and consistent improvement across cybersecurity systems, resilience against a range of threats, and advanced analytics and reporting.

Unlike previous cybersecurity standards, such as the HIPAA for federal health information, it’s no longer about simply following a set of rules or ensuring that a timeline of events occurs. Assessors will want to see adaptive change and fluid responses, based on real time reactions to threats and changes within the security set up.

The Need for Change in Cybersecurity Compliance

Global cybersecurity for defense departments is a genuine shield against threats of all kinds, from terrorism to the sale of sensitive data. The importance of staying compliant within the realm of advanced cybersecurity can’t be overstated. Although some may resist this move towards a more aggressive yet more flexible and human way of measuring security outcomes, there’s real need to see compliance assessments change in these ways. Cyber criminals are becoming ever more versatile, with a diversity of methods that can be quite shocking to those that have never experienced a breach.

The DoD has over 300,000 suppliers and contractors, and over one million subcontractors. If even one of those companies or contractors fails to provide robust cybersecurity, the risks could be enormous. The vulnerabilities of the supply chain has proven time and time again to be a major threat vector that bad actors exploit. This was the case with the Target breach, the British Airways breach, as well as numerous other less-publicized breaches. 

The Future of Compliance

CMMC might be aimed solely at DoD contractors, but it’s certainly a sign of things to come for all cybersecurity systems. Sophisticated cyber crime means there’s always going to be a necessity for more and more advanced cybersecurity. For compliance, that means assessing it from an organic, human viewpoint that sees the whole picture, rather than reducing compliance to a box ticking exercise that anyone can pass as long as they’ve performed the “right” actions at the right time.

CMMC formally starts in 2021 and assessors are in training now, getting ready to decide how robust the security posture is of a range of DoD contractors. If you want to keep up with the future of cybersecurity compliance, get yourself informed on the way the CMMC maturity certificates are scored. In time, it’s likely that all compliance systems will be scored this way. Rating your own security system against these measures will ensure you are future proofing the security of your business today.

Most compliance regulations can be daunting, and with the new Practices and Processes measurements of the CMMC, this new DoD regulation is no different. However, by leveraging a SaaS offering and by wrapping our Cyber Services around that offering, we at Port53 have been able to assist organizations of all sizes to quickly and effectively assess, track, implement, and achieve their desired level of CMMC maturity.