It’s estimated that the global average cost of a data breach is about $4.35 million dollars. And while any sort of data breach is unwelcome, it can be particularly damaging if a government entity or program is hacked and sensitive information falls into the wrong hands. It’s a big part of the reason why any contractor now working on a Department of Defense job must achieve Cybersecurity Maturity Model Certification (CMMC). In this post, we’ll discuss CMMC, why it’s so important and how contractors can achieve it.
Cybersecurity Maturity Model Certification Explained
Cybersecurity Maturity Model Certification, or CMMC, is a Department of Defense (DoD) program relevant to Defense Industrial Base (DIB) contractors. DIB contractors are those that work for and with the Department of Defense. Being that these contracts and subsequent work may contain sensitive and confidential information, contractors require an enhanced level of cybersecurity to ensure that this work is properly safeguarded. That’s where the Cybersecurity Maturity Model Certification comes into play.
CMMC is important in helping keep sensitive government data secure, similar to how the military and government agencies, such as the FBI, do. It’s a mandatory certificate that any contractor working on such a project will need to achieve, especially as threat attempts on DoD systems reach record highs. The certification was created by the office of the Under Secretary of Defense for Acquisition and Sustainment and helps ensure the likes of Confidential Unclassified Information (CUI) and Federal Contract Information are properly safeguarded throughout the duration of a project.
Why is it Important?
The Department of Defense published cybersecurity guidelines for contractors in 2015 and gave DoD contractors until the end of 2017 to meet said requirements or risk losing contracts. Previous self-verifications had been deemed inadequate and were found to not provide a level of security that could safeguard sensitive information. It’s believed that previous failures to meet cybersecurity standards caused foreign nations to develop military equipment based on stolen data that they discovered during breaches. For example, it’s believed that China developed stealth fighter jets based on the F-35 after a data breach in 2009.
Today, CMMC cannot be self-verified but must be approved by a third-party vendor. We’ll get into more on how to get the certificate in the next section.
How Do You Get the Certification?
As we noted, compliance with CMMC requirements cannot be completed via self-verification any longer. An accredited, independent third-party firm must perform the audit and this assessment is paid for by the contractor seeking work with the DoD.
The third-party entity will assess a contractor on 17 domains based on cybersecurity best practices. These domains include the likes of access control, incident response, system and communications protection, and identification and authentication, among others. CMMC measures this across five maturity levels, with the level that contractors need to achieve specified in the RFP. While contractors don’t need to have the certificate at the time they’re bidding on the project, they must have it by the time they start. Any contractor that does not have the certificate will be unable to work on DoD jobs.
Compliance with CMMC is usually achieved by implementing advanced software and establishing practices and processes to guide physical security and personnel.
Contact Ace Consulting Today
Cybersecurity Maturity Model Certification doesn’t just help a firm qualify to work on DoD jobs, but it can significantly reduce the risk of data breaches, fend off cyber threats, decrease the risk of any insider wrongdoing and achieve compliance with other, similar regulations. For more information on CMMC, contact ACE Consulting today.