You Need This to Do Business with the Department of Defense

Eric Seward July 11, 2023

In 2015, a phishing attack on the Joint Chiefs of Staff unclassified email servers caused an 11-day shutdown, affecting the work of 4,000 personnel. In 2019, the Defense Information Systems Agency network was breached, compromising countless employees’ Social Security numbers.

The count of data breaches continues to increase, according to Forbes, up 128 million in 2022 from the previous year. The Defense Industrial Base (DIB) and Department of Defense (DoD) serve as major targets for adversaries who have a lot to gain by learning more about our defense technologies.

As the threat of data theft rises, so does the need to protect our nation’s sensitive information.

For businesses operating in the United States defense space, one compliance requirement looms large: the Cybersecurity Maturity Model Certification (CMMC). CMMC assures that the companies responsible for our most advanced technologies possess the ability to safeguard the technologies from unauthorized or improper use.

CMMC is a compliance requirement that companies must meet to continue to do business with the DoD.

“The CMMC is a systemic attempt to apply security best practices that have been evolving for over two decades in some sectors, most notably finance and healthcare,” said 360 Advanced Practice Director David Brosi. “They are designed to fit the unique characteristics of the defense industrial base, its suppliers, and the advanced technology challenges facing the nation’s armed forces.”

Here are the top 3 things to know about CMMC:

It Now Has 3 Levels
It started as CMMC 1.0 and has advanced to CMMC 2.0, the newest iteration of the DoD’s CMMC cybersecurity model. Version 2.0 streamlines requirements from five to three levels and aligns the requirements at each level with accepted NIST cybersecurity standards.

  • Level 1—Foundational
    15 requirements and is an annual self-assessment and annual affirmation
  • Level 2—Advanced
    100 requirements aligned with NIST SP 800-171 and is a triennial third-party assessment and annual affirmation
  • Level 3—Expert
  • 110+ requirements based on NIST SP 800-171 and 800-172 and is a triennial government-led assessment and annual affirmation

The Relationship between NIST and CMMC
CMMC requirements will result in a contractor self-assessment, or a third-party assessment, to determine whether the applicable NIST standard has been met. The Defense Federal Acquisition Regulation Supplement (DFARS) clause states that the basic safeguarding requirements for CMMC Level 1 compliance. Under CMMC 2.0, a Level 2 assessment will be conducted against the NIST SP 800-171 standard. A Level 3 assessment will be based on a subset of NIST SP 800-172 requirements.

Can You Self-Certify with CMMC?
Certifications must be provided by an independent CMMC auditor, known as a C3PAO or CMMC Assessor. These organizations evaluate defense contractors’ cybersecurity practices and determine their compliance with the required level of cybersecurity controls specified by the CMMC framework.

“The goal is to ensure that contractors and suppliers handling sensitive unclassified defense information have adequate cybersecurity measures in place to protect that information from unauthorized access, disclosure, or theft,” Brosi said. “By following best practices, you can protect your organization and secure sensitive national security information.”

Turn to Us to Help
We help you navigate the complexities of CMMC compliance and help you elevate your cybersecurity practices and secure sensitive information. Our professional CMMC assessors guide you through the CMMC process, helping your organization elevate your security posture to meet the required cybersecurity controls. Contact us today.