As one of the one of the largest supply chains in the world, The U.S. Department of Defense (DoD) ecosystem consists of over 300,000 companies. While private companies are essential elements in these supply chains as a source of  innovation and high-value solutions, they do introduce their own set of cybersecurity issues and risks.

According to the DoD, about $600 billion worth of data is stolen per year by foreign adversaries from supplier information systems. Given that many cybersecurity incidents go undetected or underreported, incidents such as SolarWinds are only the tip of the iceberg. In response, the CMMC has paced the development of its cybersecurity framework published early last year.

As an addition to new, government-wide acquisition contracts, CMMC requirements will be included on a task-order by task-order basis, specifying the required level of maturity for a specific contractor. But, what exactly does CMMC address? What are the goals and maturity levels about?

What is CMMC?

Created as a response to the evolving cyber threat landscape, the “Cybersecurity Maturity Model Certification”, or CMMC, is an overarching standard for the implementation of cybersecurity across the Defense Industrial Base (DIB) and federal contractors. It’s also backed by federal universities and institutions, cybersecurity vendors, subject matter experts, as well as research and development centers across the country.

What is the goal of CMMC?

The goal of CMMC is to heighten and unify cybersecurity standards across the U.S. DoD supply chain. Through CMMC, DIB firms and their associated suppliers, vendors and other third parties will be required to implement proper practices and processes designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

In addition to embracing all well-known federal cybersecurity frameworks including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, and AIA NAS9933, CMMC will also require DoD contractors to implement external security audits. This tactic is hoped to prevent cybercriminals from accessing high-value entities through weaker links across the supply chain.

Who needs to be compliant with CMMC?

CMMC will impact any company that does business with the DoD. Today, the U.S. defense supply chain is made up of thousands of companies that play either a direct or indirect role in its operations. Both primary contractors and subcontractors will be required to maintain one of the designated security levels. It is envisioned that all contractors will be assessed annually and certified by October 1, 2024.

Would compliance with CMMC prevent an attack like SolarWinds?

With the increasing complexities associated with today’s digital supply chains, completely safeguarding an entire network against cyber attacks is virtually impossible. Although CMMC compliance would not thwart an intrusion entirely, it does enable early threat detection, equipping organizations to remain vigilant and minimize disruption in the event a vulnerability is discovered.

CMMC will be one of the tools that will be employed by the federal government to help address threats against them and the private sector.

What are the five levels in CMMC?

CMMC categorizes cybersecurity best practices and processes into five degrees of maturity. Processes range from basic (CMMC Level 1), to optimal, robust strategies (CMMC Level 5). Depending on the level of sensitivity of information stored in the system, as well as the particulars of the federal program being supported, organizations will be required to, at minimum, contain a novice cyber structure.

Consider the risk management process as an example. Starting at Level 2, risk management maturity begins with practices like “periodically assess the risk to organizational operations, assets”, and increases up to Level 5 with “utilization of an exception process for non-whitelisted software” and “analysis of the effectiveness of security solutions” practices.

How does CMMC address supply chain risk?

Again, CMMC was designed to harden security across the entire defense supply chain. Beginning with Level 4 Risk Management Maturity, supply chain risk management becomes an integral part of the risk management process.

CMMC compliance will be a marathon, not a sprint. Those that fall under the mandate should start assessing their preliminary maturity levels today. Not only will it help organizations by preparing them for the audit, compliance assessments can also identify any gaps in their cybersecurity that could disrupt their supply chain in the interim.

Ready to get started? Discover what Black Kite offers for CMMC compliance.

Learn more