Skip to main content
CMMC – Staying Ahead of the Bow Wave
CMMCCybersecurity

CMMC – Staying Ahead of the Bow Wave

By May 13, 2020No Comments

CMMC – Staying Ahead of the Bow Wave

Written by: Aaron West

A bow wave is formed at the bow of a ship as it moves through the water and can be a risk to other boats in the harbor. The Department of Defense’s new cybersecurity standard is about to create a similar “bow wave” that could catch businesses off guard if they are not ready for it. The DoD published version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) in January 2020. The CMMC is a unified cybersecurity standard for DoD acquisitions that will be in effect starting soon. Whether you’re a manufacturer, a software developer, or a consulting firm – this standard will apply to your business if you have or seek DoD contracts. The Office of the Under Secretary of Defense for Acquisition & Sustainment and the CMMC Accreditation Body are expected to provide more information about how it will be implemented in the coming months. Regardless, with version 1 of the model, we have the standard upon which the certifications will be based and can use it to prepare accordingly. However, understanding the critical differences in the levels of maturity, as it relates to specific DoD supplier actions, can be challenging to discern. We’ll review the first three levels of certification, the purpose for each, and what it means for you as a current or future DoD supplier. In a future article, we will examine Levels 4 and 5.

When you study the graduated levels of cybersecurity maturity in the model (see Figure 1), you understand that there are increasingly more controls required. One starts at the “basic”

Figure 1 – CMMC Levels of maturity by number of practices

page1image48481088

level and then moves to “intermediate” and so on, but what does this mean for you, the DoD supplier, in real terms?

First, what classified information do you have and therefore need to protect? Second, what threat will you likely face based on the sensitivity of the information you possess? The Department of Defense will use these criteria to determine the maturity level required in the contract. It’s projected that most contracts will require achieving Level 3 maturity if there is Controlled Unclassified Information (CUI) to be processed.

CUI is unclassified, but it still requires safeguarding. Examples include data that could reveal the state of U.S. critical infrastructure or disclose details of unique parts under export control restrictions. Federal Contract Information (FCI) is less sensitive than CUI and typically consists of scheduling and sales-related data. The CMMC model considers that if you meet the Level 1 requirements, your business is adequately protecting FCI and that at Levels 2 and 3, you are “transitioning” to safeguard CUI and protecting CUI, respectively. With Level 2 labeled a “transition” state, one can infer that Level 3 will be required more often in defense contracting than Level 2 when there is CUI involved. What is required of you, the contractor, to meet the transition to “good” cybersecurity at Level 3?

Figure 2 – comparing CMMC processes and practices