CMMC: The Importance of Cybersecurity in the Defense Industry Base
The FBI has reported that there was a 300% increase in cybercrime reports since the COVID-19 pandemic began. Experts expect spending on cyber security to reach $170.4 billion by the end of this year and cybercrime damages to reach $10.5 trillion per year by 2025. So what can we do to help our companies cybersecurity?
One program developed to enhance protection standards against cyber-attacks in the defense industrial base (DIB) is the Cybersecurity Maturity Model Certification (CMMC).
CMMC 2.0 Framework
The Cybersecurity Maturity Model Certification (CMMC) is a set of cybersecurity requirements designed to protect sensitive unclassified information that is shared by the Department of Defense (DoD) with its contractors and subcontractors. The model has three key features:
1. Tiered Model – This requires companies to implement cybersecurity standards at different levels based on the type and sensitivity of the information. It also establishes the process of sharing required information with subcontractors.
2. Assessment Requirement – This allows the DoD to verify implementation of the standards.
3. Implementation through Contracts – This requires certain DoD contractors to achieve a particular CMMC level as a condition of contract award.
CMMC 1.0 has been a standard requirement since November 2020, with a five-year phase-in period. Since then, the Office of the Undersecretary of Defense, Acquisition and Sustainment Office has developed and published materials related to the next iteration: CMMC 2.0. CMMC 2.0 is still in the rulemaking process, therefore it is not a contract requirement until that process is complete. The changes are outlined in the graphic below:
These changes include streamlining the model from 5 to 3 compliance levels aligned with the National Institute of Standards and Technology (NIST) cybersecurity standards, reduced assessment costs through some self-assessments, increases oversight of standards of third-party assessors, allows certain companies to make Plans of Action & Milestones (POA&Ms), and waivers to certain requirements in limited circumstances.
Steps Your Company Can Take to Protect Against Cyber Threats
There are a few steps your company can take now to protect against cyber threats.
1. Educate people on cyber threats – 95% of all cybercrime and security breaches are due to human error. In 2020, 48% of all malicious email attachments were sent as Microsoft Office files. Educate yourself and your employees to set strong passwords. Standard guidelines for strong passwords include making them long (such as 12 characters or more), use a combination of letters, numbers, and symbols, make each password unique, and avoid personal information or common words in your password. Additionally, users should undertake training to help recognize potentially malicious links and phishing strategies.
2. Implement access controls – Limit the access authorized users have to only what they need to perform their job. This can help prevent users that have had their security breached from reaching other systems in the network.
3. Authenticate users – 81% of security breaches are due to weak or stolen passwords. Multi-factor authentication is an important tool to verify the identity of users in addition to their password. It is much harder for someone to gain unauthorized access with multi-factor authentication in place.
4. Monitor your physical space – Monitor and escort visitors to your business, especially around computer and network access points to help prevent unauthorized physical access to your systems.
5. Update security protections – Make sure to download the latest security patches and they are from a trusted search. New vulnerabilities are found all the time and need to be fixed as soon as possible.
Additionally, the DoD has developed Project Spectrum to help DIB companies assess their cyber readiness and begin adopting sound cybersecurity practices.
Cybersecurity is extremely important to every business in the government, commercial, and private sector. CMMC is one of many steps your business can take to help protect against cyber threats. If you are interested in learning more about the CMMC process, please reach out to our team at firstname.lastname@example.org.