Data breaches have reached a fever pitch over the last few years. The rapid frequency of successful attacks coupled with the rising costs to businesses has raised attention at the highest levels of global governments. In the past, breaches were relatively “localized,” that is, they affected the targeted company only. However, the newer attacks have disrupted entire supply chains. While many companies have invested large sums to protect against such attacks, part of a fulsome security program requires the ability to demonstrably validate this security readiness.

What is CMMC?

Government agencies are an attractive target for attackers. The Defense Industrial Base (DIB) as well as the Department of Defense (DoD) supply chains are tempting goals. The DIB sector contains more than 300,000 companies that contribute to all aspects of the Defense Department. Multiple groups within the DoD have created a uniform system for all of these companies to demonstrate compliance. It is known as the Cybersecurity Maturity Model Certification (CMMC).

Many security professionals are familiar with the Cybersecurity Framework. Developed by the National Institute for Standards and Technology (NIST), it has been a recognized standard for many organizations that aim to show security readiness with a formalized security program. The CMMC gives a company the ability to prove readiness through a variety of tiers that can be objectively assessed.

The CMMC offers five tiers of conformity against two separate columns of achievements. To clarify, processes and practices are matched to higher compliance levels.

The arrangement of processes and practices is a welcome addition to the canon of cybersecurity guidance. It gives a clear understanding of what processes are expected against their respective practices. This removes a lot of the seemingly discretionary judgement that exists in many other evaluation criteria. 

Against that background, the CMMC goes further than (Read more...)