Understanding the Cybersecurity Maturity Model Certification (CMMC)
Those responsible for IT and information security in the manufacturing industry are confronted with an ever-increasing number of applications to manage — the typical large enterprise has over 3,400 applications. With all those connected technologies comes greater risks and vulnerabilities.
The Cybersecurity Maturity Model Certification (CMMC) is a new standard being developed by the Department of Defense to ensure that manufacturers in the Defense Industrial Base (DIB) have adequate cybersecurity measures in place to address those risks. The rules are still being finalized, but once approved, the CMMC will be required for all defense contractors and their subcontractors.
CMMC has two (2) key features:
CMMC applies to any company of any size that wishes to secure and work on defense contracts. It will be required throughout the DIB. Even small businesses not working directly with the DoD but who may provide a product or service to DoD contract(s) will need to comply with CMMC. An easy identifier of whether CMMC is applicable to an organization is if said entity receives any income for a defense-related contract whether as a prime contractor or subcontractor at any “level” of the supply chain. As such, it is imperative for companies to carefully read their contracts to understand if and how they play a role in the whole defense supply chain.
CMMC will be implemented after a 9-24 months rulemaking process by the DOD that is already underway. Companies will be required to comply once the rules go into effect. In the meantime, contractors and subcontractors are encouraged to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway.
It is estimated that cybercrime drains over $600 Billion annually from the global Gross Domestic Product (GDP). While the threat landscape continues to grow at an exponential rate as the years go by, security is unsuccessfully trying to keep up. As such, companies (regardless of whether or not they work with the DoD) are encouraged to employ good cybersecurity practices along with a “defense-in-depth” strategy. CMMC was created with such a goal in mind.
Not working with the government does not necessarily mean that an organization does not need CMMC compliance. The basic principles of CMMC compliance relate to proactive and consistent security best practices. In the next few years, it is speculated that CMMC will become the cybersecurity standard for various industries (with the most pressing one today being Cybersecurity Insurance). As such, every organization must strive to or should at least be thinking about achieving CMMC compliance, if only for their own peace of mind.
The team of experts at Clark Schaefer Hackett are here to help you stay on top of all the latest CMMC developments. Complete the form below and an expert will be in touch shortly.