CMMC: The shifting cybersecurity landscape- DoD is tackling CUI leakage.
DoD is plugging CUI leakage because loss of controlled unclassified information to adversaries compromises national security. Here’s why this matters:
- CMMC (Cybersecurity Maturity Model Certification), a framework that builds on existing cybersecurity controls, rolls out in 2020. CMMC is intended to improve the security posture of organizations across the defense industrial base (DIB) and reduce cyber risk by shifting from supplier self-attestation to objective third-party certification, and from compliance to maturity. For organizations, this means moving from saying you’ve implemented security controls to demonstrating that you’ve implemented them, you’re using them, and that they’re effective.
- Third-party audits are coming to enhance the effectiveness of DFARS 7012 and NIST 800-171 until contracts are subject to CMMC.
- OEMs will have to demonstrate maturity relative to the effectiveness of their security controls.
- For now, contractors can still self-attest to proscribed cybersecurity for contracts not yet subject to CMMC. Be aware that the government has been employing the False Claims Act against organizations that misrepresent compliance.
You can’t afford to wait to implement CMMC controls and practices.
When CMMC (Cybersecurity Maturity Model Certification) was announced in spring 2019, how and when it would affect OEMs, other contractors, and suppliers was unclear.
Now with release of CMMC V1.0, obligations and timing have become clearer.
With CMMC rolling out over the next five-plus years, only a small percentage of DoD contracts will be directly affected in 2020 and 2021 and, until CMMC is fully rolled out, OEMs remain responsible for assuring the cybersecurity of their supply chains as directed by DFARS 7012. They remain responsible for suppliers’ self-attestation relative to compliance with the 110 security controls mandated by NIST 800-171.
To further boost the efficacy of the current DFARs, and to better secure the supply chain, DoD will be stepping up audits of both OEMs and suppliers, and has begun penalizing organizations under the False Claims Act for knowingly submitting false data.
How Exostar can help
In this climate of heightened scrutiny, Exostar can help you streamline and assure supply chain compliance with DFARS. Businesses can, and are, employing our solutions to save time and costs associated with validating cybersecurity with the rigor required by DoD.
Be prepared. We can help.