Why is CMMC Important?
The new Cybersecurity Maturity Model Certification is a major change to the way defense contractors prove their security is up to par. It’s a change many will feel is long overdue and although it brings extra costs and administration for contractors, it offers a competitive advantage for both government and private sector work.
In short, CMMC brings two major changes. The first is that businesses can no longer self-assess or self-certify their cybersecurity procedures, instead needing an independent review from an accredited assessor with Prime contractors responsible for making sure the entire supply chain for a contract has an appropriate CMMC certification. The second is that CMMC is a detailed and structured framework with 171 different measures assessed across five levels of security.
The Department of Defense awards more than $400 billion a year in contracts, with just over half going to small businesses. CMMC should resolve four risks with the previous cybersecurity rules for contractors:
- The very small risk that less reputable contractors deliberately falsify or mislead with claims about security.
- The risk that in-house assessments allow too much leeway and bias in letting things slide because staff “know” that a particular shortcoming “won’t be exploited.”
- The risk that different contractors interpret security standards in different ways, making it difficult to fairly compare security risks across the industry.
- The risk that security flaws go unchecked further down a supply chain. (An estimated 300,000 businesses play some role in defense contracts whether directly or through the supply chain.)
While CMMC is primarily about protecting sensitive government data, it should improve security across the entire defense sector, reducing the risk of unauthorized access to specific information and trade secrets.
Contractors & the Supply Chain
For contractors and suppliers, the CMMC is hugely important as it will be a key and necessary part of winning contracts. Businesses will need to earn Level 1 certification (which is effectively a checklist of basic security measures) before they can bid for any contracts involving Federal Contract Information. Those which handle Controlled Unclassified Information will need to have reached an appropriate level to bid for a particular contract. The required level will be listed as part of the Request for Information or Request for Proposals.
This means that with each additional level a business reaches, there will be an increased range of contracts they can bid for, with those at higher levels likely having a narrower range of competitors. The process of graduating from level to level is deliberate, as contractors must pass the assessment for each in subsequent order rather than applying directly for a higher level.
Another key element of the levels (and the reason the name refers to a “maturity model”) is that the higher levels don’t simply involve a bigger checklist of measures. Instead, they require evidence of evolving and more sophisticated approaches to security, with level 4 needing proactive security procedures and level 5 meaning all procedures are fully optimized.
Given CMMC is taking effect whether contractors like it or not, the best approach is to view the process as a positive. Preparing for and undergoing an independent assessment using a sophisticated framework will not only reveal shortcomings in a contractor’s security setup but also give them an incentive to fix the issues. That can only improve the overall security, both making the business more attractive to private sector clients and reducing the risk of embarrassing and costly breaches.
Now you know more about why CMMC is so important, you may want more help and advice on how to boost your cybersecurity. Contact us today and we’ll be happy to talk though the services we can offer.