CMMC relationship (mapping) to other frameworks

Introduction

Today, we are continuing our Infosec series on the new U.S. Department of Defense Cybersecurity Maturity Model Certification (CMMC). This article will focus on how the new Defense Industrial Base (DIB) procurement gate builds on and links to the other well-known cybersecurity and procurement frameworks.

At its core, the CMMC is a new method that the US government will be using to introduce and enforce a tiered evaluation system to audit contractor and supplier compliance with the cybersecurity best practices, principles and controls. In practice, the CMMC is structured around five different levels of maturity when it comes to applying these cybersecurity principles. 

Most of the CMMC is based on the US Department of Commerce’s National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 Revision 2 (NIST 800-171 r2), which the Department of Defense (DoD) required suppliers to comply with in order to conduct work on their behalf. 

However, due to the complexity of implementation, low rates of adoption, the ability of organizations to evaluate their own compliance and an understanding of the fact that different DoD projects require different levels of cybersecurity “maturity,” the CMMC model seeks to forge a new path forward. Most notably for many members of the DIB, the DoD is expecting independent, third-party audits for compliance with the CMMC and NIST 800-171 requirements. Given the sheer size of the DIB and the role that subcontractors play in securing Controlled Unclassified Information (CUI), the DoD hopes the “trickle-down” impact to cybersecurity and compliance will dramatically improve.

CMMC model overview

Going forward, a DoD contractor must have a valid CMMC certification to even be eligible to bid on, be awarded or even participate as a subcontractor on a project involving CUI. 

As seen below, contractors are just required to (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Patrick Mallory. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/NhV17H7aWBE/