The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a hot topic right now, and for good reason! It will require any company that does business with the federal government and stores sensitive information to comply with an extensive set of cybersecurity policies and go through an audit by an approved third party. This regulation can impact companies who simply store sensitive information as well. And while the latest version (2.0) was released in November of 2021 and may take up to two years to reach final approval by the Pentagon, obtaining a favorable rating of compliance will take time and work; companies who store sensitive data are urged not to postpone implementing the changes needed to comply with CMMC.
CMMC aims to unify and strengthen cybersecurity practices to avoid data leaks. It requires companies conduct a third-party assessment of their security protocols. The type of sensitive data can wildly vary depending on the contracts a company is awarded; for example, sensitive information concerning security clearances, construction information about building DoD facilities that must protect the amount of information known about the building, training programs for DoD special forces, and companies with DoD contracts building military vehicles. Each sector detailed has a varying degree of sensitive information that the DoD does not want in the public space. CMMC aims to provide a framework to secure all this data and hold companies accountable.
In CMMC 2.0, the security tiers changed from the previous five to three. Level 1 is “foundational,” including seventeen cybersecurity practices and an annual self-assessment. Level 2 is “advanced,” including 110 cybersecurity practices aligned with the National Institute of Standards and Technology Special Publication (NIST SP) 800-171 guidelines. Level 3 is considered “expert” and is the most secure rating a company can achieve. It includes over 110 cybersecurity practices based on NIST SP 800-171 guidelines and a triennial government-led assessment.
The Defense Counterintelligence & Security Agency (DCSA) is taking a more active role in communicating changes to the Cybersecurity Maturity Model Certification (CMMC) process. Cleared companies should continue to monitor this communication as DCSA may also play a part in enforcing CMMC in the future. Facility Security Officers (FSO) should have, at a minimum, a basic understanding of what CMMC is and how it will impact the company they work for.
DoD contracts are lucrative propositions and resting on one’s laurels concerning CMMC is a prime way to restrict revenue streams and place a company in dire straits, especially if working with the DoD, in any fashion, is a primary revenue source. Proactiveness needs to be at the forefront of a company’s mindset regarding requirements to do business with the federal government and store sensitive data. For many companies, DoD contracts are their livelihood. Many of these companies are already taking steps to attain CMMC 2.0. If your company is active in the DoD contract space, delaying this certification could prove costly for your revenue streams and, ultimately, your profitability.
David Touchton is the founder of FSO Services, and he can be reached at david_t@fso-services.com.
Jeremy Good is the Chief Information Officer at Carley Corporation.