An unprecedented average of 1,300 complaints are fielded daily by the FBI regarding cyber security concerns. When the dust settled at the end of 2019 cyber crime cost US businesses and individuals alone over $3.5 billion according to the FBI’s annual Internet Crime Report. $9 billion of that amount can be chalked up to ransomware. To make matters more alarming, it’s expected that these numbers are a massive underestimate due to the fact the statistics depend on data for incidents reported to law enforcement. Malicious cyber activity has led to loss of Controlled Unclassified Information or “CUI” from the Defense Industrial Base which poses an extraordinary risk to national security. As the frequency and damage of cyber crimes continue to grow, the U.S. Department of Defense or “DOD” has developed new ways for modernizing security across the defense supply chain.
Perhaps the most prominent effort to increase security came in the form of the Cyber security Maturity Model Certification. The CMMC, as it’s referred to, is a unified standard way for implementing cyber security across the defense industrial base (DIB). The DIB includes more than 300,000 companies in the supply chain. The CMMC is the DODs response to compromises of sensitive defense information, which can be found on contractor’s information systems. Contractors continue to be responsible for implementing, monitoring, and certifying critical cyber security requirements for information technology systems. However, the CMMC changes the paradigm by requiring third-party assessments of contractor’s compliance. This is accomplished by mandatory practices, procedures, and capabilities that evolve to combat the new and growing cyber threats from adversaries.
It’s expected that by 2026 CMMC requirements will be expected on all new defense contracts. Contractors and small businesses becoming CMMC compliant would likely mean a complete overhaul of their cyber security programs. New cyber security standards will no doubt transform the industry, yet 58 percent of contractors are not aware of the initiative. The time to become familiar is now since nearly every vendor in the national defense supply chain will need to be certified in the next few years. DOD contractors should learn the CMMC’s technical requirements and should prepare for long-term cyber security agility immediately.
The CMMC contains five certification levels that reveal the maturity and reliability of a company’s cyber security infrastructure to safeguard sensitive government information on contractor’s systems. The CMMC levels have separate tiers which build off each other’s technical requirements. With each level, there is the requirement to be compliant with the lower-level tier requirements in addition to the institutionalization of additional processes to specific cyber security-based practices.
The five certification levels of the CMMC can be broken down as follows:
Level 1 states that companies must execute basic cyber hygiene practices, such as using antivirus software or having employees change passwords frequently to protect Federal Contract Information.
Level 2 states that companies must document intermediate cyber hygiene practices to safeguard any Controlled Unclassified Information (CUI) by performing some of the US Department of Commerce National Institute of Standards and Technologies (NIST) security requirements.
Level 3 states that a company must enable an institutionalized management plan which implements good cyber hygiene practices to protect CUI. In addition, they must comply with all NIST security requirements on top of extra standards.
Level 4 states that a company must fulfill processes for reviewing and measuring the success of practices as well as establishing additional enhanced practices. An ability to respond to changing tactics, techniques and procedures of advanced persistent threats (APTs) must be demonstrated as well.
Level 5 states that a company is required to possess standardized and optimized processes in place throughout the organization, along with additional enhanced practices which provide more sophisticated capabilities to detect and respond to APTs.
You may be asking, who exactly should be certified to CMMC? The answer is anyone in the defense contract supply chain. The DOD estimates CMMC standards will affect 300,000 companies. Most contracts can be expected to require a certification between levels 1 and 3 to qualify for government contracts. The CMMC’s goal is to deliver trust throughout the greater supply chain security landscape. They accomplish this by ensuring products are trustworthy, which extends trust down to the device and the software. It will give organizations the means to verify their products are free of counterfeit parts and ensure software running on them is not corrupt. Has your company taken the steps to become compliant with these requirements?
ACP CreativIT has a dedicated department for cyber security. Whether you’re looking to start protecting your business, or you have a solid foundation and want to ensure you are protected for the future, ACP CreativIT can help. Contact us to talk to one of our security experts today or visit our cyber security page here.