Why Cybersecurity Maturity Model Certification (CMMC)?
Executive Summary:
Cybersecurity Maturity Model Certification (CMMC) is a response to verified trends.
Data shows:
- Cyber intrusion activity has shifted from primarily targeting Department of Defense (DoD) prime contractors to targeting their suppliers
- Economic losses due to cybercrime are already huge and increasing
- Defense Industrial Base (DIB) companies have largely ignored cybersecurity clauses in their contracts since 2017
- Many DIB companies are filing reports of full compliance that are likely false
Read More:
What’s the big deal about CMMC?
The main clause in CMMC that gets attention is the introduction of third-party certification of compliance with cybersecurity requirements. This applies not only for prime contractors but for all tiers of the supply chain. There are different levels of requirements depending on the sensitivity of the data you handle but all companies that do business with the federal government have at least 17 cyber requirements in contracts now even without CMMC.
Research indicates only 25% of the cyber requirements in existing contracts have been implemented so many organizations are at risk of losing DoD business if, as planned, certification of the entire bidding team becomes necessary before contracts are awarded.
What’s needed?
- If your organization is already working on compliance with existing requirements, then sharing this picture with stakeholders may help the medicine go down that much easier
- If your organization is not compliant with existing requirements then show this picture to your business decision makers to gauge their appetite for keeping their existing DoD business or going after new contracts
- Watch the SecuriThink Field Notes space for more posts on how we make the business case for cybersecurity to business asset owners
- If you have comments, please join the discussion on the relevant LinkedIn post here: https://www.linkedin.com/posts/lindarust_securithink-slide-why-cmmc-with-ndisac-graph-activity-6945093373502332929-IfD6
Sources:
- John Ellis, DoD Director, April 2022
- Jacob Horne conversations with DoD personnel. 2022
- NIST AM 100-32
- National Defense Information Sharing and Analysis Center (ND-ISAC)