It is predicted that cybercrime could cost the world up to $10.5 trillion annually by 2025. In 2020, the US Department of Defense (DoD), proactively launched the Cybersecurity Maturity Model Certification (CMMC) in an effort to protect and verify the cybersecurity of its supply chain.
What does that mean exactly?
CMMC will become a contractual requirement of any awarded contract for DoD contractors (primary and subcontractor) by 2025. The certification has 5 maturity levels, ranging from basic to advanced, and CMMC compliance must be reassessed every 3 years.
Who needs to be certified?
As of Nov 30, 2020, the DoD began rolling out a requirement that all contractors and subcontractors be certified by an independent Certified Third-Party Assessor Organization (C3PAO). This provides proof to the DoD that each contractor and subcontractor can be trusted with Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
More than 350,000 US organizations fall under these requirements.
Levels of CMMC Certification
There are 5 levels of maturity for CMMC, but so far, only 3 levels have been released.
Level 1 of CMMC is for safeguarding Federal Contract Information (FCI). This is the base level, with the lowest level of requirements. Level 1 focuses on who has access to FCI, the users, systems, connections, and processes must be listed and known to the company. Also, all on-site visitors must now be escorted and have visits recorded once having entered the facilities. Even small flaws or issues in the system must be reported and repaired in a specific timeframe and antivirus software must be in place to protect these systems from malicious code.
Level 2 of CMMC requires established and documented practices and procedures to implement CMMC required security. This level is the steppingstone to transition to CUI, transiting a company from handling just FCI to CUI.
Level 3 CMMC protects CUI. Level 2 got you here, Level 3 is the establishment, maintenance, and planning for practice implementation. Limitations are now set on machines, such as limited number of incorrect login attempts and time limits on unlocked computers. Level 3 also has requirements for mobile devices involved with CUI and regulations on remote sessions with computers. Regulations are far more extensive in Level 3.
Through not as much information has been released about Levels 4 and 5, we know that they include the task of reducing the risk of Advanced Persistent Threats (APTs). These are adversaries that use multiple means to attack from all sides (cyber, physical, etc). Level 4 requires being tested against these types of attacks, and Level 5 requires standardization and optimization of these practices. Level 5 requires a high degree of security to attain.
Where and how to become certified
The specifics for CMMC compliance are still fairly new, but we know that the deadline is 2025. The longer an organization has these practices in place, the more secure and efficient the company can run.
Brea Networks holds a CMMC Provisional Assessor certification and is a CMMC Registered Practitioner and C3PAO. If you are looking to get more information about becoming CMMC compliant or are ready to prepare for CMMC, we invite you to speak with our specialist today to discuss your organization and readiness for CMMC.