Should State and Local Governments Obtain Cybersecurity Maturity Model Certification?

How can we measure an organization’s effectiveness in applying cybersecurity controls across an enterprise? What checks are in place to enforce those controls?

If you are a U.S. Department of Defense (DoD) contractor with a role in the Defense Industrial Base (DIB), the answer is clear. You must obtain Cybersecurity Maturity Model Certification (CMMC).

Version 1.0 of CMMC framework was released on Jan. 31, 2020, and you can see FAQs, updates and other related materials at this Office of the Under Secretary of Defense for Acquisition & Sustainment website.  

Here’s an excerpt from CMMC version 1.0:

“The model encompasses the basic safeguarding requirements for FCI specified in Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirements for CUI specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 per Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 [3, 4, 5].

The CMMC framework adds a certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the DoD that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.

When implementing CMMC, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for particular segment(s) or enclave(s), depending upon where the information to be protected is handled and stored.”

Still seem confusing?

To help understand the importance of the CMMC framework and how this model can / will impact and help both DoD and non-DoD entities, I turned to a friend and experts in the area – Mr. Taiye Lambo.

Taiye is a: “Thought leader, author, visionary, pioneer, serial entrepreneur, (Read more...)

*** This is a Security Bloggers Network syndicated blog from Lohrmann on Cybersecurity authored by Lohrmann on Cybersecurity. Read the original post at: