Page 42 - Cyber Defense eMagazine January 2024
P. 42

unnecessary  data breaches.  Security officials  at the DoD found themselves  handing  out penalties  and
            fines after hostile nation-state actors had already pilfered off critical data.

            “Here’s  the  bottom-line  challenge  we  all  face.  If  we  get  this  wrong,  and  we  do  too  little,  there  is  a
            vulnerable supply system that is compromised and weighed down when we need it,” CEO of the National
            Defense  Industrial  Association  David  Norquist  said. “For  national  security,  we need  to protect  against
            both disruption as well as tampering.  But what makes a market so powerful is exactly what makes this
            challenge so hard.”

            CMMC 2.0 brings more than 100,000 contractors and subcontractors under one policy, requiring ongoing
            certification. These same protocols required by the DoD can deliver the heightened cybersecurity  every
            operation needs to defend against the relentless stream of cyberattacks.



            How CMMC 2.0 Works

            This cybersecurity  policy evolved  from standards  published  by the National  Institute  of Standards  and
            Technology  (NIST). An initial model  included five cyber hygiene  levels that applied to outfits based on
            the  type  of  Federal  Contract  Information  (FCI)  and  Controlled  Unclassified  Information  (CUI)  the
            enterprise stored and transferred. The five tiers were revised down to the following three in the CMMC
            2.0 version, which is gradually being implemented.




               •  Level  1:  Considered  “Foundational”  cyber  hygiene,  supply  chain  organizations  that  store  or
                   transmit FCI are required to follow 17 practices to meet 59 objectives. Companies that fall under
                   Level 1 are tasked with self-assessments and reporting the findings to the federal government.
               •  Level 2: Protecting CUI, this “Advanced” cyber hygiene standard tasks companies with adhering
                   to  110  NIST  practices  to  achieve  more  than  300  objectives.  Depending  on  the  type  of  digital
                   assets,  companies  can  report  annual  self-assessments  or  be  vetted  by  a  CMMC  Third  Party
                   Assessor Organization,  also known as a C3PAO.
               •  Level 3: Recognized  as “Expert” cyber hygiene, military contractors and enterprises  with critical
                   CUI must meet  more than 110 NIST  measures,  as well as other related  defenses.  Companies
                   undergo an audit every three years by a C3PAO, with the outcome reported to the Pentagon.



            Businesses that fail to meet the CMMC 2.0 mandate will likely find themselves sidelined. Losing revenue
            streams from lucrative DoD contracts tends to be more whip than carrot in the push to secure sensitive
            military defense secrets.  But that does not necessarily  mean businesses should  implement CMMC 2.0
            solely to gain DoD approval. The cybersecurity policy proves equally effective at repelling hackers trying
            to infiltrate networks out of greed.









            Cyber Defense eMagazine – January 2024 Edition                                                                                                                                                                                                          42
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   37   38   39   40   41   42   43   44   45   46   47