You are probably reading this because you’ve heard about the introduction of the new framework for evaluating and protecting cybersecurity: The Cybersecurity Maturity Model Certification (CMMC), and you are wondering why it was introduced to replace the NIST 800-171 framework. In this post, we discuss the factors responsible for the introduction of the new framework and the roles CMMC plays in ensuring national cybersecurity.
What Led to the Introduction of a New Framework?
Two major factors are responsible for the introduction of Cybersecurity Maturity Model Certification. They include:
- Weakness in Supply Chain
The Federal Government isn't responsible for producing most of the technical products used by the government, they hire Prime Contractors to take charge of the production of these products.
However, note that technical products are compounded and often consist of several complex parts needing technical expertise and sometimes standardized manufacturing facilities required to get the job done. Still, because many of these 'prime contractors' don't have what it takes to produce these complex, specialized security products, so, they outsource the contracts to sub-contractors.
Hiring contractors to get things done may seem completely harmless, they have the expertise and manufacturing capability to get the job done. However, many are not subject to strict security requirements to protect the sensitive government information located in their systems.
Their inability to guarantee the safety of government information poses a cybersecurity threat. How? they are an easier target for adversaries to work with because that they have a weak data security system as small companies.
- NIST 800-171 FAILURE
NIST 800-171 was the first attempt to protect controlled unclassified federal information, but it failed due to its weaknesses. Self-attestation by sub-contractors became the mode of compliance evaluation, and this didn't cut it. It didn't track security maturity, and complacency set in. The moment they acquired the slightest level of compliance, no one saw the need to ensure more robust data security practices. More so, when investigated, there was about 90% non-compliance rate among the companies that claimed compliance through self-attestation, which further proved NIST 800-171 as an ineffective form of cybersecurity test.
Where CMMC Comes In
CMMC was initiated to replace the NIST 800-171 so as rectify its mistakes. CMMC's primary purpose is to ensure that DIB companies can employ the proper cybersecurity practices to protect Federal Contract Information, (FCI), and also Controlled Unclassified Information, (CUI), in their systems. CMMC also evaluates the company's maturity processes.
Unlike NIST SP 800-171, CMMC consists of 5 levels that ensure FCI and CUI protection. By doing this, the CMMC will enhance the security stance of defense contractors, thereby amplifying cybersecurity, economic security, and, generally, national security.
The execution of the CMMC was essential to increase the standards of operations, documentation, and access to digital system access. A key differentiator between CMMC and the past framework is that defense contractors do not have to self-attest their compliance; a third party would evaluate their activities to ensure their security maturity before compliance.
Although contractors will still be responsible for executing the stringent cybersecurity requirements, CMMC changes the pattern by demanding third-party evaluations of contractor's compliance through strict practices, approaches, and abilities capable of creating a high defense against cyber attacks.
CMMC’s five certification levels was set up to reveal the maturity and competence of the company's cybersecurity capability to safeguard sensitive government data. These five levels are set up based on their technical requirements. To move to the next tier, one would have to have met the requirements of the lower tier, along with other processes required to ascertain robust cyber security-based practices.
The Cybersecurity Maturity Model Certification was pertinent to alleviate national cybersecurity threats by making up for the shortcomings of the NIST 800-171 framework through demand for stringent cybersecurity practices and procedures.
As a DoD contractor, you should learn the CMMC technical requirements and prepare to acquire your certification as these would determine your access to future federal government contracts.