Page 42 - Cyber Defense eMagazine January 2024
P. 42
unnecessary data breaches. Security officials at the DoD found themselves handing out penalties and
fines after hostile nation-state actors had already pilfered off critical data.
“Here’s the bottom-line challenge we all face. If we get this wrong, and we do too little, there is a
vulnerable supply system that is compromised and weighed down when we need it,” CEO of the National
Defense Industrial Association David Norquist said. “For national security, we need to protect against
both disruption as well as tampering. But what makes a market so powerful is exactly what makes this
challenge so hard.”
CMMC 2.0 brings more than 100,000 contractors and subcontractors under one policy, requiring ongoing
certification. These same protocols required by the DoD can deliver the heightened cybersecurity every
operation needs to defend against the relentless stream of cyberattacks.
How CMMC 2.0 Works
This cybersecurity policy evolved from standards published by the National Institute of Standards and
Technology (NIST). An initial model included five cyber hygiene levels that applied to outfits based on
the type of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) the
enterprise stored and transferred. The five tiers were revised down to the following three in the CMMC
2.0 version, which is gradually being implemented.
• Level 1: Considered “Foundational” cyber hygiene, supply chain organizations that store or
transmit FCI are required to follow 17 practices to meet 59 objectives. Companies that fall under
Level 1 are tasked with self-assessments and reporting the findings to the federal government.
• Level 2: Protecting CUI, this “Advanced” cyber hygiene standard tasks companies with adhering
to 110 NIST practices to achieve more than 300 objectives. Depending on the type of digital
assets, companies can report annual self-assessments or be vetted by a CMMC Third Party
Assessor Organization, also known as a C3PAO.
• Level 3: Recognized as “Expert” cyber hygiene, military contractors and enterprises with critical
CUI must meet more than 110 NIST measures, as well as other related defenses. Companies
undergo an audit every three years by a C3PAO, with the outcome reported to the Pentagon.
Businesses that fail to meet the CMMC 2.0 mandate will likely find themselves sidelined. Losing revenue
streams from lucrative DoD contracts tends to be more whip than carrot in the push to secure sensitive
military defense secrets. But that does not necessarily mean businesses should implement CMMC 2.0
solely to gain DoD approval. The cybersecurity policy proves equally effective at repelling hackers trying
to infiltrate networks out of greed.
Cyber Defense eMagazine – January 2024 Edition 42
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.