By Amos Aesoph, Xigent CISO
Over the past year, cyberattacks on government networks have been big news. Hackers have breached federal and state agencies, schools and local governments, and law enforcement with ransomware, holding IT systems and data hostage.
To combat the risk of permanent damage to national security and the country’s infrastructure and supply base, a new cyber security certification called the Cybersecurity Maturity Model Certification (CMMC) is being required for some federal contractors.
The new rules apply to an estimated 300,000 organizations that do business with the Department of Defense as contractors or subcontractors, selling supplies, providing services, or doing construction work. In the past, these businesses were able to self-certify their cyber security processes, but that’s about to change.
It’s a security framework that the DoD will use to assess the security, capability, and resilience of contractors and subcontractors. Organizations will need to verify their ability to adequately protect sensitive unclassified information.
Contractors will soon have to meet a series of requirements to be certified, with five possible tiers of cybersecurity maturity specified. Level 1 is the most basic, requiring organizations to perform basic cyber security practices, including 17 different security controls. Additional requirements must be verified at every level, up to Level 5, where organizations must demonstrate an advanced, proactive cybersecurity model.
To obtain any of these levels of certification, organizations will need to be assessed by a qualified third-party certifier. The national CMMC Accreditation body is training those third-party assessors right now.
This new certification will be mandatory for every company that does any type of business with the DoD. If your organization is one of them, the CMMC needs to be on your radar right now. The CMMC requirement is being rolled out gradually, but all DoD suppliers will need to be certified by 2025. Federal officials recommend beginning your certification process at least six months before you need it.
Xigent CISO Amos Aesoph has attained registered practitioner status for the CMMC and can consult on the reliability and maturity of your company’s cybersecurity. Schedule a conversation today to learn more about the process involved in becoming a CMMC certified supplier.
Get a Security Assessment