Since 2005, there have been almost 12,000 recorded cybersecurity breaches.
McAfee estimates that cybercrime costs more than 1% of the entire world’s GDP. To put that in numbers, that’s over $1 trillion.
The amount of cybersecurity attacks has only increased throughout the same period. Just over the past year, we’ve seen hacker groups target and successfully infiltrate some of the most secure internet systems in the world.
LINKS:
____________________________________________
etactics.com/b...
____________________________________________
Of course, I’m referring to the massive attack on the Texas-based software government contractor, SolarWinds. There was also the successful ransomware attack on the largest oil system in the United States, The Colonial Pipeline, that led to gas shortages all across the East Coast.
Both massive attacks occurred due to poor password management, which further solidifies the notion that employees are the biggest risk to an organization.
As a result of the increase in cyberattack attempts and successes, the government of the United States had no choice but to react. Enter CMMC, stage left.
The Cybersecurity Maturity Model Certification (CMMC) is the result of a push by the Department of Defense (DoD) to protect the confidential information that its contractors deal with daily.
The first version of CMMC came out in January 2020 and it affects all DoD contractors and their entire supply chain. Although it isn’t a requirement until 2026, it’s a huge overhaul of the processes for conducting business with the DoD.
Any contractor who doesn’t take this new regulation seriously and isn’t proactive in implementing its requirements years in advance risks losing its ability to bid on all of the DoD’s future RFPs.
Sure, if you’re a DoD contractor, you still have more than a presidential term to implement the model’s required safeguards and achieve the certification.
You could argue that there’s a chance that the aggressive push toward implementing CMMC will lose steam. Maybe the DoD will lessen its strict requirements when it realizes how much of a supply chain headache CMMC causes.
However, based on the DoD’s 2022 budget, CMMC isn’t going to disappear. In its budget, the DoD includes a $615 million line item for embedding “zero-trust architectures”. That line item directly relates to the purpose and requirements of CMMC.
In other words, it’s time to start thinking about how to achieve CMMC’s requirements ahead of time.
That means determining what level of contractor you are, understanding the required controls and implementing a way to attest that you’re following each requirement.
Before looking at the controls and blindly trying to follow them, you need to understand how CMMC works.
As it stands today, DoD contractors are already obligated to implement cybersecurity requirements.
CMMC places additional emphasis on those requirements by enforcing third-party assessors to evaluate every contractors’ compliance with laid out, mandatory practices and procedures.
The DoD drafted CMMC so that contractors continue implementing cybersecurity requirements by enforcing third-party assessments on their compliance with mandatory practices and procedures.
In other words, a third-party assessor must come in and attest that DoD contractors enforce what they’re required to.
The statements I just made don’t do a good job of capturing the scale of CMMC and who it affects. Let me put it into perspective. During the DoD’s 2016 Fiscal Year, the organization contracted around 210,000 full-time equivalent (FTE) contractors. FTE is a measurement the DoD commonly uses that calculates the estimated number of man-hours contracted.
CMMC affects the majority of those DoD contractors plus those hired on a part-time basis, as long as they deal with controlled unclassified information. It’s a massive, upcoming, mandatory regulation that many organizations need to place time and energy into before it’s too late and they’re no longer qualified for their contracts with the DoD.
Of course, not every contractor provides the same service to the DoD. Some of the largest contractors provide F13 fighter jets, others only supply the nuts and bolts to those planes.
Luckily, CMMC realizes the differences in both of those organizations via different, defined certification levels.
Level 5 is the highest level of CMMC any contractor may achieve, meaning that only a select few will need to achieve it.
► Reach out to Etactics @ www.etactics.com​
►Subscribe: rb.gy/pso1fq​ to learn more tips and tricks in healthcare, health IT, and cybersecurity.
►Find us on LinkedIn: / etactics-inc​
►Find us on Facebook: / ​