Coming Soon: Department of Defense Cyber Security Maturity Model Certification Takes Aim at Protecting the Defense Supply Chain
Ways to begin preparing for the unified certification standard
The Department of Defense (DoD) is creating a unified certification standard, the Cybersecurity Maturity Model Certification (CMMC), to ensure vendors that are a part of the defense industrial base (DIB) sector have the appropriate cybersecurity capabilities to protect DoD-shared and controlled classified information (CUI). Its efforts are aimed at protecting end-to-end the defense supply chain.
Still in the drafting stage, CMMC version 1.0 will go to the CMMC accreditation body next month. The first requests for information that include CMMC requirements are set for release in June 2020, and the corresponding requests for proposals are slated for some time during the fall of 2020.
The CMMC model framework currently has 18 domains based on existing cybersecurity best practices. Listed under each domain are capabilities—achievements an organization must reach to provide cybersecurity within that domain. These capabilities are then mapped across five CMMC levels: Level 1—basic cyber hygiene, Level 2—intermediate cyber hygiene, Level 3—good cyber hygiene, Level 4— proactive, and Level 5—advanced/progressive. Processes, which show the organization’s level of maturity for each practice, range from Level 1—Performed, to Level 5—Optimized.
DoD stated that its goal is for small businesses to be able to affordably and cost effectively implement CMMC at Levels 1 to 3. To this end, examples of Level 1 practices include anti-virus software, ad hoc levels of incidence response, cybersecurity, and governance, and the ability to provide limited resistance to threats; Level 2 practices require risk management, awareness and training, backups and security continuity, and the ability to provide minor resistance to threats; and Level 3 practices must cover all NIST SP 800-171 rev. 1 controls, have an information security continuity plan, communicate threat information to key stakeholders, and provide moderate resistance to threats. Levels 4 and 5 practices are designed for a smaller set of the DIB sector involved in DoD-critical programs and technologies.
DoD plans to have third-party assessment organizations conduct audits and assess the risk level for DIB vendors applying to do business with the department. This seems to be in keeping with the civilian Federal Risk and Authorization Management Program (FedRAMP), which uses authorized 3PAOs such as TalaTek to assess the readiness and security standards of cloud service providers’ solutions.
TalaTek’s approach to helping Defense Industrial Base vendors achieve CMMC compliance
TalaTek can help organizations comply with these requirements once finalized. We start by helping you interpret the CMMC standards relevant to your DIB business and determine your ability to protect CUI at the Level appropriate for your mission. And we can advise you on the next steps to take to reach that Level. Furthermore, to determine your business’s ability to protect CUI within the CMMC framework, we recommend a cybersecurity gap analysis.
Simply put, a gap analysis:
- Reveals the current state of your organization’s risk profile and security posture.
- Compares your security program’s performance to your target Level goals.
- Identifies areas of improvement.
- Helps you prioritize your investment and resources so you can reach your goals.
TalaTek’s methods for conducting a gap analysis include:
- Reviewing all your relevant IT policies, processes, and documentation based on the CMMC industry standards and security framework,
- Performing analysis against gathered data, mapping to CMMC-specified standards, and identifying specific gaps in the implemented controls, and
- Developing mitigation strategies for the identified gaps and providing recommendations for compliance with CMMC requirements.
To learn more about the current state of CMMC and how TalaTek can help, contact us at firstname.lastname@example.org.