The Cybersecurity Maturity Model Certification (CMMC) was established in 2020 by the United States Department of Defense (DoD) as a unified cybersecurity standard for all contractors who provide goods and services to the DoD. This standard has evolved over time due to the need for tighter cybersecurity measures, particularly in light of the increasing number of cyberattacks on government organizations and private companies. In this introductory article, we will explore the history of CMMC, why it was necessary, how it has evolved since 2020, pushback and roadblocks, and ultimately why it will be a requirement.
A brief history of CMMC and its evolution
We can trace the history of CMMC back to the National Defense Authorization Act . Section 889 of this act prohibited government agencies from procuring goods and services from companies that used certain equipment manufactured by Chinese technology companies. This provision was aimed at safeguarding against possible espionage and data theft by Chinese firms. The scope of the attack reached almost 30 U.S. companies, some of them being the largest and most prominent vendors to the United States government.
The NDAA for Fiscal Year 2020 built on the provisions of the previous year’s legislation by including requirements for cybersecurity practices and processes for contractors that did business with the DoD. These requirements were developed in response to the increasing number of cyber threats against government agencies, particularly the DoD.
The specific need for CMMC arose due to the compounding concern of a compromised supply chain and the increasing frequency and sophistication of cyberattacks against government agencies. Its primary objective was to ensure contractors had appropriate cybersecurity measures to protect sensitive information. The theft of intellectual property and sensitive information, such as Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) had become a growing risk to prioritize and mitigate. In 2018, the Council of Economic Advisors estimated that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. Over a ten-year period, that burden would equate to an estimated $570 billion to $1.09 trillion dollars in costs.
The DoD recognized the need for a unified cybersecurity standard that could be applied across the board to all contractors providing goods and services to the DoD. In the past, documenting cyber posture for DoD contracts was based on a self-assessment model to various NIST standards. It was easy for people to not be completely truthful in their self-assessments and attest to higher levels of qualification. As a result of this inaccurate self-documentation of cyber posture, the DoD decided to shift their model of documenting cyber posture to a that required an audit by third parties and their certification.
The first version of the framework (1.0) was divided into five levels, each representing a higher level of cybersecurity maturity. Contractors were required to demonstrate compliance with the appropriate level of the CMMC framework in order to bid on DoD contracts. The CMMC framework has undergone several changes since its inception in 2020.
In the latest version of CMMC, version 2.0, the DoD has removed two transition levels, simplifying the structure to: “Foundational” (previously Level 1), “Advanced” (previously Level 3), and “Expert” (previously Level 5).
The newest version of CMMC is simplified with fewer levels.
CMMC pushback and roadblocks
The rollout of the CMMC framework has not been without its challenges. Some contractors have expressed concerns about the costs associated with implementing the cybersecurity requirements, particularly for small and medium-sized businesses. There have also been concerns about the availability of auditors to assess compliance with the framework, particularly in rural areas.
Another challenge the DoD has faced in implementing the CMMC framework is educating contractors about the new requirements. Many contractors were unaware of the cybersecurity requirements prior to the release of the CMMC framework, and there has been a learning curve associated with understanding and implementing the requirements.
Ultimately, the DoD has faced challenges in ensuring that the CMMC framework is implemented in a timely and effective manner. However, the agency has worked to address these challenges and has continued to move forward with the implementation of the framework.
The fall 2022 unified agenda for the CMMC program shows the regulations are in the “proposed rule” stage, with a notice of proposed rulemaking expected to publish in May 2023. We expect to see CMMC 2.0 language in DoD contracts soon after the rule is published. Those projections, however, can change depending on timelines and unforeseen events.
Why CMMC will be a requirement
In addition to protecting sensitive information, the CMMC framework is also intended to help companies improve their cybersecurity posture. By requiring contractors to comply with the framework, the DoD encourages companies to invest in cybersecurity and take steps to protect their networks and systems. As the implementation of the CMMC framework continues, contractors will likely face increased pressure to demonstrate compliance with the requirements. Companies that cannot demonstrate compliance may find it more difficult to win DoD contracts, which could significantly impact their business.
CMMC is Available in Axio360
The CMMC framework is important because it helps to protect sensitive information and encourages companies to improve their cybersecurity posture. Ultimately, the CMMC framework is an important step in protecting the security of the DoD and the nation as a whole. The Cybersecurity Maturity Model Certification (CMMC) is available for licensing in the Axio360 platform. You can get started today by completing both a Level 1 and Level 2 assessment—the core building blocks necessary to achieve compliance. If you’d like to learn more about our CMMC offerings, please feel free to contact us.
Stay tuned for our subsequent blog post on CMMC 2.0, as we dive into the three levels of the CMMC 2.0 and provide more details on what has changed in this latest version, and what you need to know to strengthen your cybersecurity posture.