Skip to main content

On-demand webinar coming soon...

Blog

Cybersecurity Maturity Model Certification (CMMC), Escalating security

January 21, 2020

N/A

Escalating Security Across Vendor Contracting

CMMC for government contractors, A shift from a static plan to a dynamic measure of compliance

The Department of Defense (DoD) plans to introduce the Cybersecurity Maturity Model Certification (CMMC) in early 2020. The CMMC will evaluate a vendor’s maturity level based on its technical practices, ranging from ‘Basic Cybersecurity Hygiene” to “Advanced/Progressive.” It also assesses the vendor’s process maturity level based on the institutionalization of the cybersecurity practices, ranging from “Performed” to “Optimized.”

This new certification will set a universal standard for vendors doing business with the DoD. The reach of enforcement and applicability has yet to be defined. However, vendors must meet the specific certification level of procurement at the time of award, and the primary vendors must require any sub-contractors to meet the applicable CMMC requirements. Even if you do not engage directly with the DoD, the CMMC may apply to your business via your suppliers, third-party service providers, or customers.

CMMC filling compliance gaps

Building upon an existing trust-based regulation, the CMMC adds a cybersecurity verification component to guarantee basic cybersecurity hygiene and to safeguard controlled unclassified information. Previously, the DoD required government contractors to have two components of NIST 800-17 in place. Both a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M) were required to be recognized as an authorized vendor. Upon review, the DoD found that many active government contractors had been unsuccessful in implementing these measures. In addition to finding areas of non-compliance, the logic behind having a plan to implement security controls is not a strong enough threshold to measure adequate security. This realization highlighted the need for a more standardized review process and criteria to measure vendors.

What’s the CMMC all about?

Beyond filling the general compliance gaps, heavy influencers of the CMMC include the digital infrastructure businesses operate in, and the associated emerging threats. The initiative behind this new certification is to establish security as a foundational element for vendor evaluation. Previously, the DoD focused on

  • Cost, how can the budget be optimized?
  • Performance, who delivers the highest quality service or product?
  • Schedule, can this vendor meet or exceed timeline expectations?

The rise in data breaches and ambiguity in accountability has led to an increased emphasis on security. It doesn’t matter if the project is of the highest quality, ahead of schedule, or significantly discounted if the information is exposed.

The new evaluation process weighs each pillar of vendor criteria against the security measures and practices in place. The CMMC establishes a standardized scoring and vetting process. By measuring the cost, performance, and schedule against security, the CMMC’s dynamic scoring categorizes contractors into 5 different levels ranging from most secure to least secure.  The DoD looks at two angles of security to assign a value.

  • What security measures are in place?
  • What processes implement, standardize, and optimize these security practices across the organization?

Effectively, what controls are actively monitoring and measuring your routine business practices? And what ongoing initiatives do you have in place to improve operations based on the intended compliance framework?

Quality over Quantity

The CMMC is taking a “best of breed” approach to incorporate controls from several leading frameworks, including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933, and more. The draft CMMC encompasses the following 17 domains, each of which has its own specific capabilities:

Access Control; Asset Management; Audit and Accountability; Awareness and Training; Configuration Management; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical Protection; Recovery; Risk Management; Security Assessment; Situational Awareness; System and Communications Protection; and System and Information Integrity.

To become certified, a vendor must demonstrate the appropriate maturity of its cybersecurity controls and organizational maturity of its cybersecurity practices and processes to an accredited and independent third-party commercial certification organization.

The DoD is expected to release the first live version of the CMMC in January 2020. By June 2020, the industry should expect CMMC requirements to be part of information requests. The OneTrust team is committed to tracking and indexing these changes as they are introduced. The OneTrust DataGuidance research team is following the development of the CMMC.  Stay up to date with auditing and enforcement actions regarding the CMMC, at Free.DataGuidance.com. V.07 is the latest version of the draft available, this document is available for review today at the website for the Office of the Under Secretary of Defense for Acquisition & Sustainment.


You may also like

Webinar

Ethics Program Management

EthicsConnect: Risk - It’s not just for breakfast anymore

Join us for a deep dive into embedding privacy by design into the fabric of your business to promote the responsible use of data.

April 25, 2024

Learn more

Infographic

Technology Risk & Compliance

Rethinking risk assessments: Bridging the gap between best practices and action

Download our infographic to learn the main challenges faced during risk assessments, proven frameworks for assessing risks, and how to translate guidance into action.

March 07, 2024

Learn more

Webinar

Technology Risk & Compliance

PCI DSS Compliance: How to scope and streamline monitoring with Certification Automation

Join our PCI DSS webinar where we discuss how Certification Automation can help free up valuable InfoSec resources, streamline audits, and stay continuously compliant.

March 05, 2024

Learn more

eBook

Ethics Program Management

Business messaging apps: A guide to corporate compliance

How can your business use third-party messaging apps while staying compliant? Dive into key usage considerations based on the DOJ’s 2023 guidance.

February 13, 2024

Learn more

Webinar

Technology Risk & Compliance

5 automation trends to modernize InfoSec compliance

Join our webinar for insights on transforming InfoSec program management. Navigate the complexities of modern security with a flexible, scalable, and cost-effective approach.

February 07, 2024

Learn more

Infographic

Third-Party Risk

4 top-of-mind challenges for CISOs in 2024

What key challenges do CISOs face going into the new year? Download this infographic to hear what experts from industries across the board have to say.

January 30, 2024

Learn more

eBook

Technology Risk & Compliance

NIST Cybersecurity Framework 2.0: Changes, impacts, and opportunities for your InfoSec program

Get your free guide to the NIST Cybersecurity Framework 2.0 and learn how its proposed changes will impact your InfoSec programs.

December 18, 2023

Learn more

Resource Kit

Technology Risk & Compliance

NIST CSF essentials: Empowering cybersecurity excellence

Download our NIST CSF Essentials resource kit and master cybersecurity compliance with expert insights, strategies, and real-world case studies.

December 15, 2023

Learn more

Webinar

Technology Risk & Compliance

Demonstrating GDPR compliance with Europrivacy criteria: The European Data Protection Seal

Join our webinar to learn more about the European Data Protection Seal and to find out what the key advantages of getting certified.

November 30, 2023

Learn more

Checklist

Technology Risk & Compliance

SOC 2 checklist: 8 steps to achieve compliance

This SOC 2 checklist provides clear action steps that enable you to mature your security program and fast-track your way to compliance.

November 28, 2023

Learn more

Data Sheet

Technology Risk & Compliance

Integrations to automate your framework compliance: ISO 27001, SOC 2, and NIST CSF

Explore how OneTrust integrations can help you automate compliance with today’s most popular InfoSec frameworks.

November 28, 2023

Learn more

Webinar

Ethics Program Management

Ethics Exchange: Risk assessments

Join our risk assessments experts as we discuss best practices, program templates, and how provide an assessment that provides the best value for your organization.

October 25, 2023

Learn more

Infographic

Technology Risk & Compliance

Understanding Europe's Top InfoSec and Cybersec Frameworks

Learn the ins and outs of Europe’s top InfoSec and cybersec frameworks, including ISO 27001, UK Cyber Essentials, the NIS2 Directive, DORA, and more.

October 05, 2023

Learn more

Infographic

Technology Risk & Compliance

5 key areas for improved automation in InfoSec compliance

Streamline and scale your organization’s InfoSec compliance program by focusing on these five key areas of automation

October 02, 2023

Learn more

eBook

Technology Risk & Compliance

Prioritizing the right InfoSec frameworks for your organization

In this free eBook, we explore the basics of three top InfoSec frameworks and how to decide which is the best fit for your organization.

September 27, 2023

Learn more

Webinar

Third-Party Risk

Live Demo EMEA: How OneTrust can help advance your third-party risk management program

Join us for a live demo of OneTrust's third-party risk management solution and see how it can help automate and streamline your TPRM program.

September 19, 2023

Learn more

eBook

Privacy Management

Responsible data use: Navigating privacy in the information lifecycle eBook

Download this eBook and get the insights you need to safeguard customer privacy and ensure responsible data use in the information lifecycle.

August 22, 2023

Learn more

Webinar

Technology Risk & Compliance

How to successfully implement ISO 27001 to demonstrate security and assurance across any jurisdiction

Join our live webinar and hear from security professionals on how to get ISO 27001 certified, streamline audit preparation, and demonstrate security assurance across any regulatory jurisdiction.

June 28, 2023

Learn more

eBook

Third-Party Risk

InfoSec's guide to third-party risk management: Key considerations and best practices

Download our eBook to learn practical advice on how to approach third-party risk management like an InfoSec expert.

June 05, 2023

Learn more

Webinar

GRC & Security Assurance

Combating InfoSec compliance fatigue: Insights for navigating growingly complex requirements

In this webinar, you will hear first-hand from information security experts experts what are the key pain-points and their strategies to be audit ready. 

February 27, 2023

Learn more

Webinar

Technology Risk & Compliance

Introducing OneTrust Certification Automation: Build, scale, and automate your InfoSec compliance program webinar

In this webinar, learn how to right-size your compliance scope for different frameworks across various business dimensions and enable an agile audit process.

February 15, 2023

Learn more

Webinar

GRC & Security Assurance

Introducing OneTrust Certification Automation: Reinforce privacy accountability with automated InfoSec compliance

Learn how to enable an agile audit process by breaking down complex InfoSec requirements into actionable tasks to help automate your compliance program.

February 10, 2023

Learn more

eBook

Technology Risk & Compliance

The future of information security

Learn how to respond to the security landscape and build a proactive InfoSec program to help your customers and business.

October 10, 2022

Learn more

eBook

Technology Risk & Compliance

The art of the enterprise IT risk assessment

Ensure your enterprise IT risk assessment is a success with a top-down approach that gets executive buy-in from the start

September 16, 2022

Learn more

eBook

Technology Risk & Compliance

The enterprise DevSecOps playbook

As a unified business function, DevSecOps combines rapid software development with top-notch security at scale.

September 02, 2022

Learn more

Webinar

GRC & Security Assurance

How to reinforce your InfoSec risk program in a “Not If, But When” incident environment webinar

Learn how scaling your approach to managing IT assets & risk assessments can deliver a complete picture to better measure and inform program investments.

August 16, 2022

Learn more

Webinar

GRC & Security Assurance

5 critical mistakes to avoid when answering security questionnaires

Avoid these 5 critical mistakes when answering security questionnaires and streamline responses with this webinar.

March 01, 2022

Learn more

Webinar

GRC & Security Assurance

How successful security teams manage risk to build Trust and drive Growth

Watch this webinar to learn what makes a successful risk management program and how effective security teams build trust.

January 12, 2022

Learn more

Webinar

Privacy Management

Build an incident management playbook

Prepare for privacy and security incidents by building an incident management playbook.

August 27, 2021

Learn more