America Needs the Cybersecurity Maturity Model Certification (CMMC) Program

Most Americans are aware that cyber-attacks have negative economic, military, and diplomatic consequences for our nation. As the U.S. government continues to improve its cybersecurity posture special attention is being paid to its supply chain, specifically the U.S. Department of Defense’s supply chain known as the defense industrial base.

In the past, the U.S. Department of Defense included DFARS clause 252.204-7012 in some of its contracts. This clause required companies to implement the NIST SP 800-171 set of security controls and to report cyber incidents to the DoD. How did the DoD know if these contractors had implemented their security control requirements? They didn’t. Companies were only required to self attest to having implemented the required security controls and document them in a system security plan (SSP). Any controls they couldn’t implement by the DoD’s deadline were documented in a plan of action & milestones document for implementation at a later date. As you can imagine this wasn’t the best way to protect the defense industrial base from cyber threats however it was a harbinger for what was to come.

Relying on DoD contractors to invest in cybersecurity without any third-party oversight has generally failed. With the new cybersecurity maturity model certificate (CMMC) program both small and large companies will have cybersecurity requirements. The requirements will be tailored to the type of information contractors will handle. This will generally help protect smaller companies from the high costs of a full-fledged cybersecurity program. The expectation is that most of the 300,000 companies expected to have CMMC requirements will have a CMMC level one requirement which mandates companies to practice basic cyber hygiene.

When it comes to password requirements, find a middle ground that works best for your company's culture and the capabilities of your employees.

Getting all 300,000 companies that makeup America’s industrial base is no easy task. The CMMC accreditation board expects to have 10,000 assessors trained to audit contractors. These companies are located all over the world. They have documentation and IT systems in different languages. Some have even raised ethical concerns over the manner in which CMMC will be carried out. Some prefer that the DoD handles the auditing. Contractors are also worried about the costs of CMMC. Earning the CMMC certification is one thing but the costs of maintaining a cybersecurity program are another.