It is 2030. If we look back to 2020 and 2021 we will find the roots of the U.S. Department of Defense (DoD) standard, the Cybersecurity Maturity Model Certification (CMMC). The core objective of this new DoD standard is to secure the 300,000 plus DoD suppliers. A weakness in the supply chain impacts the security to confidential, sensitive DoD information, such as Federal Control Information (FCI) and Controlled Unclassified Information (CUI). FCI and CUI must be protected, must be secured. That is the core focus of the DoD’s CMMC cybersecurity standard.
Organizations have to achieve CMMC Certification – this process of achieving certification validates that the organization has implemented the specific requirements of the CMMC model.The core objective of the certification is to ensure that vendors providing products and services to the DoD have an appropriate level of implemented cybersecurity capabilities; hence, the CMMC standard.
The threat to DoD FCI and CUI data is a threat to not just the information, but to our national security. The threats are Advanced. The threats are Persistent. These, are referred to as Advanced Persistent Threats, or APT. The CMMC model is designed to ensure the Defense Industrial Base (DIB), that is the 300,000 suppliers, have a resilient architectureto mitigate such risks to sensitive information and assets.
Let us take a closer look at the CMMC model. It is organized into five maturity levels, or ML. The ML ranges from ML1 through ML5. ML1 is the entry level that results in what is referred to as, Basic Cyber Hygiene. ML 2 is about Intermediate Cyber Hygiene, ML 3 is Good Cyber Hygiene, ML 4 is Proactive, and ML 5 is an Advanced/Progressive cyber program.
The maturity levels are cumulative. For an organization to achieve a specific CMMC level, it must demonstrate achievement of the preceding lower levels.
Further, the CMMC model is organized into 17 Domains. The Domains include capabilities, processes and practices.
The higher the CMMC Maturity Level, the greater the requirements are to secure the organization. The CMMC combines various cybersecurity standards and maps these best practices and processes to corresponding maturity levels, ranging from basic cyberhygiene to highly advanced practices.
Cybersecurity and compliance professionals cannot afford to be illiterate on the CMMC standard. Today, CMMC directly impacts the DoD supply chain. In the near future, CMMC will emerge as a standard that impacts other federal, as well as state government cyber programs, as well as organizations globally. Get to know CMMC and how it can improve your organization’s cyber defense.
Uday Ali Pabrai, MSEE, CMMC 9PI, RP), CISSP, HITRUST CCSFP
As the chief executive of ecfirst, a firm focused on cyber defense and compliance, Mr. Pabrai has consulted with thousands of organizations across the United States and globally. He has presented keynote and featured briefs on cybersecurity at conferences worldwide. His career was launched with the U.S Department of Energy’s nuclear research facility, Fermi National Accelerator Laboratory. He has served in senior officer positions with NASDAQ-based firms. He is a member of the FBI InfraGard. He can be reached at Pabrai@ecfirst.com.