According to Matt Davies Stockton, you may have heard about the upcoming Cybersecurity Maturity Model Certification (CMMC). As a business owner that needs to comply with new regulations, it’s important to find out if your business needs CMMC certifications. Let’s figure it out.
1. Cybersecurity Maturity Model Certification – CMMC is a DoD program that has been rolled out to unify cybersecurity standards across Defense Industrial Base networks for protection against malicious states and other threats. The new standard protects information across DoD networks and enhances the overall level of cybersecurity.
DoD systems are at a high risk of being breached or compromised due to malicious actors and that’s why this standard ensures that contractors enforce high levels of cybersecurity controls. The certification measures the capability, readiness, and sophistication of DoD contractors in cybersecurity. So, if you are a DoD contractor, you need to get certified. The CMMC framework has five levels of certification. Let’s check them out.
2. Level 1 – Level 1 certification is Basic Cyber Hygiene. It is the most basic and minimum level of certification you need to be a DoD contractor. This level of certification makes sure that Federal Contract Information(FCI), government information not intended for the public’s eyes, is protected. It requires your organization to destroy media featuring FCI before disposing of it and also requires the use of robust antivirus software.
3. Level 2 – At this level, you maintain Intermediate Cyber Hygiene. DoD contractors are expected to establish the best cybersecurity policies and practices and document them as well. During the evaluation for Level 2 certification, your company should show that all activities you engage in are done with an approach to protect the relevant Controlled Unclassified Information(CUI).
4. Level 3 – At this level, your company has Good Cyber Hygiene. That means your company can showcase your ability to actively safeguard CUI and implement NIST SP 800-171 security requirements effectively. Your company gets Level 3 certification when you can craft and maintain a management plan for implementing specific activities for protecting CUI.
5. Level 4 – At the second highest certification level, your cybersecurity approach should be Proactive. At Level 4, you need to establish proactive practices to amp up detection capabilities and respond to evolving techniques, tactics, and procedures of advanced persistent threats(APT). These practices should be in place to defend against long-term malicious attacks that are meant to mine sensitive information and compromise CUI.
6. Level 5 – To get the highest level of certification, your business needs to develop more sophisticated techniques and capabilities to detect APTs and respond appropriately to protect CUIs. Your business needs to implement optimized and standardized processes across your entire organization. The levels of CMMC show how serious your organization is about cybersecurity.
Matt Davies Stockton suggests that you get the CMMC certification if you are a Department of Defense contractor. Depending on the scale and scope of your business and operations, it may be worth the effort to get a higher level of CMMC.