In an effort to provide a unified cybersecurity standard for the private contractors to the Department of Defense (DoD), this past March, the DoD released the Cybersecurity Maturity Model Certification (CMMC). Specifically, CMMC is a new five-tier risk framework and is an update to the previously issued NIST 800 171. The first three levels of the CMMC certification include the requirements of its predecessor, while levels four and five pick up where NIST left off, adding additional cybersecurity best practices, such as continuous monitoring. Each of the CMMC certification levels include and build on the steps outlined in lower levels.
Approximately 300,000 companies will undergo this certification in the coming year, with certifications to be performed by third-party auditors designated by the CMMC Accreditation Body. Fundamentally, CMMC is a multi-tiered certification system rating government contractors and subcontractors’ cybersecurity posture and prioritizes risk maturity based on their placement within the supply chain. As such, the level of CMMC certification required of a company is dependent upon the nature of information flowed down from the primary contractor. CMMC ratings will also be considered in determining request for proposal (RFP) eligibility. Some believe that a failure to meet CMMC standards will disqualify contractors even at the RFP stage.
How SecurityScorecard can help
As part of our ongoing commitment to helping government agencies and their vendors quickly and efficiently make improvements to their cybersecurity posture, we’ve added new features to clearly address CMMC’s requirements.
In our security ratings platform, you can now find the CMMC framework under the Compliance Tab, allowing you to automatically map SecurityScorecard Ratings issues to the CMMC v1.02 and evaluate your own or your suppliers’ standing with this framework.
We’ve also added new questionnaire templates to Atlas -- our cybersecurity questionnaire validation and exchange solution -- to help you validate your business partners’ compliance with DoD standards at scale. If you’re already utilizing the NIST questionnaire template and are concerned about the overlap between the NIST and CMMC frameworks, don’t be. Simply use the auto-complete capability in Atlas to automatically complete the CMMC with your existing NIST responses.
The CMMC framework allows DoD to improve oversight of its supply chain, and for its contractors and subcontractors to demonstrate meaningful investment in their own cyber health. At SecurityScorecard, we’re proud to offer solutions that support government infrastructure, as part of our mission to make the world a safer place by transforming the way cyber risk is understood and alleviated.