This is an original article from Cre8tive Technology and Design.
Steps to Take Working Toward Cybersecurity Maturity Model Certification
According to the United States Council of Economic Advisers, malicious cyber activity has been estimated to have cost the U.S. economy between $57 billion and $109 billion in 2016. This threat has not slowed down, with experts suspecting an annual GDP loss of about 1% due to continued cyber threats.
To address the ever-growing cyber threats facing high-risk industries in the defense industrial base (DIB) such as Aerospace and Manufacturing, the United States Department of Defense (DoD) established a set of cybersecurity standards defined in the Cybersecurity Maturity Model Certification (CMMC).
The CMMC accreditation has had a large impact on government contractors and subcontractors as their ability to bid on contracts is highly dependent on their level of cyber hygiene.
Where are Companies Vulnerable with Cybersecurity?
It’s no surprise that industries most vulnerable to cyber threats include healthcare, government, and energy. All of these industries are crucial to national security and infrastructure, making them attractive targets cybercriminals and enemies of the state.
There are many areas of vulnerability within the hierarchy of an organization’s digital infrastructure. The most common types of cyber threats include:
- Social Engineering: Human error is the most common threat to digital infrastructure. Social engineering tactics are used to trick users into giving away sensitive or classified information by means of phishing, baiting, scareware, etc.
- Ransomware: Ransomware is a form of malware that encrypts or holds sensitive data hostage in exchange for a ransom.
- DDoS Attacks: A distributed denial-of-service (DDOS) attack is used to disrupt the normal flow of traffic with superfluous bot activity, rendering a network, server, or system incapable of processing legitimate requests.
- Third-Party Software: The use of third-party software may contain security flaws that can be used as a medium to compromise internal data and other digital assets.
- Cloud Computing: Possibly the fastest-growing cybersecurity threat, hackers scan cloud servers to exploit vulnerabilities allowing them to steal data or install ransomware.
As cyber threats continue to evolve, government contractors and subcontractors must practice situational awareness and implement the latest cyber hygiene controls as cited in the CMMC. Maintaining cyber hygiene is critical to compliance and safeguarding Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
Steps toward CMMC
The Cybersecurity Maturity Model Certification is divided into five different maturity levels or steps. The CMMC maturity level an organization must achieve to work the DoD depends on the type of request for proposal.
To identify the appropriate CMMC level for your business, follow the process summary steps and standards for each of CMMC’s five levels.
CMMC Maturity Level 1: Focus on protecting FCI.
- Processes are performed, but rather informal with no documentation required.
- 17 Practices that constitute “basic” cyber hygiene specific to the 48 CFR 52.204-21.
CMMC Maturity Level 2: Prepare CUI documentation for security awareness practices and policies.
- Processes are performed and documented, enabling organizations to regularly practice them.
- 55 Practices that constitute “intermediate” cyber hygiene specific to the NIST SP 800-171.
CMMC Maturity Level 3: Implement a plan that defines proper cybersecurity practices.
- Processes are performed, documented, and maintained so that the organization can define standard operating procedures required for resourcing and training.
- 58 Practices that constitute “good” cyber hygiene specific to the NIST SP 800-171.
CMMC Maturity Level 4: Create a review process to adapt to evolved Advanced Persistent Threats (APT).
- Processes are performed, documented, maintained, and reviewed so that the organization can proactively measure the results of its cybersecurity efforts to identify vulnerabilities and adapt to current or evolving threats.
- 156 Practices that constitute “proactive” cybersecurity specific to draft NIST SP 800-171B.
CMMC Maturity Level 5: Optimize cybersecurity SOP’s throughout the organization.
- Processes are performed, documented, maintained, reviewed, and optimized so that the organization can normalize and continuously refine cybersecurity best practices.
- 171 Practices considered “advanced/proactive” with a focus on protecting CUI from APTs.
In order to secure an RFP with the DoD, government contractors are required to complete a self-assessment to identify at what CMMC maturity level their company operates.
Compliance Assessments
Before a CMMC certificate is issued to a DIB company, an authorized and accredited CMMC Third Party Assessment Organizations (C3PAOs) will need to conduct assessments to verify that your organization meets the specified criteria outlined.
Seeking professional system security engineering and cybersecurity managed services will help to ensure a smoother accreditation process and is highly encouraged.
System Security Engineering Services
A strong component to the CMMC accreditation is System Security Engineering (SSE). SSE is critical to preventing the loss of data through human error, cyber-attack, or reverse engineering. Contractors working with the DoD need to make sure that their hardware, software, persons, and processes are all trusted and in sync.
Some of CTND’s system security engineering services include:
- Program and system security architecture development.
- Testing and implementation of security systems.
- Systems audits for export control.
Cybersecurity doesn’t stop after implementation. Continuous monitoring and refinements are required to keep systems up-to-date and compliant with CMMC guidelines. Organizations serious about maintaining compliance will need to seek out ongoing cybersecurity management services.
Ongoing Cybersecurity Managed Services
Continuous monitoring controls are required for transmitting and storing data on non-government information systems, as well as keeping up with APTs. CTND’s in-house IT support team provides ongoing cybersecurity managed services and employee training after the go-live period.
Complete the CMMC Training Series for Manufacturers
Department of Defense prime contractors and subcontractors are required achieve Cybersecurity Maturity Model Certification (CMMC) by 2025 in order to earn or retain DoD contracts. IMEC is offering a 15-part CMMC Cybersecurity Training Series for Manufacturers will guide you through the process towards CMMC certification, verifying to the DoD that you have adequate cybersecurity controls and policies in place to meet DoD security standards.
Live, virtual training begins July 7, and will meet monthly through September 2022. This series will:
- Translate the Cybersecurity Maturity Model Certification (CMMC) framework into language that manufacturers – not cybersecurity experts – can understand. Recordings of monthly training will be available for all participants.
- Provide an up-to-date deep dive into each of the CMMC control families and domains
- Outline monthly action step for you to make ongoing progress toward CMMC compliance –while still operating your company
- Provide 1-on-1 monthly guidance to make regular progress on the CMMC requirements
- Save $100,000+ in consulting costs for an external provider to complete the process of demonstrating compliance with CMMC in policies, procedures and practices.
