Posted on Jun 9, 2020
In an effort to provide a unified cybersecurity standard for the private contractors to the Department of Defense (DoD), this past March, the DoD released the Cybersecurity Maturity Model Certification (CMMC). Specifically, CMMC is a new five-tier risk framework and is an update to the previously issued NIST 800 171. The first three levels of the CMMC certification include the requirements of its predecessor, while levels four and five pick up where NIST left off, adding additional cybersecurity best practices, such as continuous monitoring. Each of the CMMC certification levels include and build on the steps outlined in lower levels.
Approximately 300,000 companies will undergo this certification in the coming year, with certifications to be performed by third-party auditors designated by the CMMC Accreditation Body. Fundamentally, CMMC is a multi-tiered certification system rating government contractors and subcontractors’ cybersecurity posture and prioritizes risk maturity based on their placement within the supply chain. As such, the level of CMMC certification required of a company is dependent upon the nature of information flowed down from the primary contractor. CMMC ratings will also be considered in determining request for proposal (RFP) eligibility. Some believe that a failure to meet CMMC standards will disqualify contractors even at the RFP stage.
As part of our ongoing commitment to helping government agencies and their vendors quickly and efficiently make improvements to their cybersecurity posture, we’ve added new features to clearly address CMMC’s requirements.
In our security ratings platform, you can now find the CMMC framework under the Compliance Tab, allowing you to automatically map SecurityScorecard Ratings issues to the CMMC v1.02 and evaluate your own or your suppliers’ standing with this framework.
We’ve also added new questionnaire templates to Atlas -- our cybersecurity questionnaire validation and exchange solution -- to help you validate your business partners’ compliance with DoD standards at scale. If you’re already utilizing the NIST questionnaire template and are concerned about the overlap between the NIST and CMMC frameworks, don’t be. Simply use the auto-complete capability in Atlas to automatically complete the CMMC with your existing NIST responses.
The CMMC framework allows DoD to improve oversight of its supply chain, and for its contractors and subcontractors to demonstrate meaningful investment in their own cyber health. At SecurityScorecard, we’re proud to offer solutions that support government infrastructure, as part of our mission to make the world a safer place by transforming the way cyber risk is understood and alleviated.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.