As we move into 2020, it’s important to remain up-to-date on cybersecurity standards, especially for companies that are contractors or subcontractors for the U.S. Department of Defense. In order to properly secure this defense and ensure contractors are following protocol, there is a new practice being put into play: the Cybersecurity Maturity Model Certification. Below, RP Abrasives tackles the ins and outs of cybersecurity requirements to expect in the next year.
What is the Cybersecurity Maturity Model Certification?
The Cybersecurity Maturity Model Certification (CMMC) is going to be a priority for companies contracted to manufacture products related to U.S. defense operations. Contractors will be required to obtain certification proving they are equipped to meet specific levels of security, with the end goal being to increase cybersecurity comprehensiveness. Using the CMMC model, companies will build on regulations that are often already required, such as NIST SP 800 – 171, with the intent being to strengthen protections around controlled unclassified information (CUI).
What Are CMMC Requirements?
DoD contractors will be evaluated on the policies they have in place, as well as the implementation of actions taken against cyber assaults. The outcome of this evaluation will determine the certification level received, ranging from Level 1 through Level 5. This will take place at the bidding stage as a preliminary qualification prior to placing a bid.
Certification Level Descriptions
LEVEL 1 – This is considered basic cyber hygiene, addressing cybersecurity systems or policies that are either inconsistent or limited in scope. Level 1 is highly achievable for small companies, though it only offers limited resistance against data breaches.
LEVEL 2 – This is considered intermediate cyber hygiene, which is more advanced than the basics of Level 1. Level 2 requires documented procedures and strategies that are somewhat established, including cybersecurity best practices. This level offers slightly more resistance against data breaches.
LEVEL 3 – This is considered good cyber hygiene, requiring cybersecurity implementation that is the equivalent of NIST 800-171. It also includes various benchmarks to measure effectiveness. Level 3 offers moderate resistance against data breaches or malicious cyber actions and requires extensive training and understanding of cybersecurity.
LEVEL 4 – This is considered a substantial, proactive cybersecurity system. This program requires continuous monitoring and knowledge as well as proactive leadership, which makes it resilient against advanced cyber threats and decreases data breaches.
LEVEL 5 – This is considered an advanced cybersecurity program, meaning there is continuous improvement and process standardization across the company that adapts as cyber assets change. Level 5 requires highly advanced capabilities that are able to deter advanced or persistent cyber threats.
How DoD Contractors Can Prepare for CMMC
As of January 2020, the CMMC framework will be put into place for bids as early as Fall 2020. To prepare for this implementation, contractors and subcontractors should establish a Plan of Action using NIST SP 800-171 as a starting point. All items will need to be comprehensively addressed. Defense contractors should familiarize themselves with cybersecurity requirements; a great way to do this is by connecting with an organization that already has experience in information security protocol who can serve as an advisor on meeting certification requirements.
Contact the Finishing Experts
At RP Abrasives, we currently NIST SP 800 – 171 compliant and are in the process of becoming certified in preparation for the finalization of Cybersecurity Maturity Model requirements. If you’re a DoD contractor looking to learn more about our services, we would be happy to help discuss any contractual requirements you may have.
Contact us at RP Abrasives today to learn more!