If you’re involved in the defense industry or work with the U.S. Department of Defense (DoD), you’re likely familiar with the Cybersecurity Maturity Model Certification (CMMC). In our previous blog post, Getting Ahead of CMMC in 2023, we explored a brief history of the model and why compliance will ultimately become a requirement. The latest version, CMMC 2.0, brings significant updates and changes to the previous version, 1.0. Whether you’re a contractor, subcontractor, or a professional seeking compliance with CMMC requirements, here are the top 10 things you need to know about CMMC 2.0
1. Revised Maturity Model Framework:
CMMC 2.0 includes a revised maturity model framework that is designed to be more flexible and scalable. The framework consists of three maturity levels, each with a set of cybersecurity practices that must be implemented.
2. CMMC Accreditation Body (CMMC-AB):
The CMMC-AB is responsible for overseeing the certification of third-party assessors who are authorized to perform CMMC assessments. The CMMC-AB also manages the CMMC marketplace, which connects DoD contractors with CMMC assessors.
3. Continuous Monitoring:
CMMC 2.0 requires contractors to implement continuous monitoring processes to detect and respond to cybersecurity threats in real time. This includes monitoring for changes in system configurations, suspicious network traffic, and anomalous user behavior.
At Axio, we believe your entire cybersecurity program is a continuous endeavor requiring a risk-centric approach. A continuous cyber risk management program:
- Avoids disconnected spreadsheets for risk assessments.
- Visualizes improvement goals and deadlines in one place while referencing risk assessments.
- Prioritizes investment decisions based on risks that affect business operations.
4. Cybersecurity Governance:
CMMC 2.0 requires contractors to establish a formal cybersecurity governance program that is led by senior management. This program should include policies and procedures for managing cybersecurity risks, conducting risk assessments, and responding to cybersecurity incidents. Proactive governance is becoming essential, considering the increasing physical and cyber devastation over the past few years. Board reporting is shifting from reliance on a ‘defend and protect’ mindset to a more capable ‘mitigate and manage’ methodology.
5. Incident Response
CMMC 2.0 requires contractors to develop and implement a formal incident response plan that includes procedures for detecting, investigating, and responding to cybersecurity incidents. This plan should be tested regularly to ensure that it is effective.
Is your organization ready for a catastrophic ransomware attack?
Despite increased investments in cybersecurity, many organizations still need to implement the basic controls required to defend against ransomware. In fact, Axio’s 2022 State of Ransomware Preparedness Report reveals that only 30% of organizations have a ransomware-specific playbook for incident management.
6. Access Control
CMMC 2.0 includes new requirements for access control, including the use of multi-factor authentication (MFA) and the implementation of least-privilege access policies. This helps to ensure that only authorized users can access sensitive information.
Any compromised access credential spells trouble for an organization, typically resulting in the exfiltration of valuable data. But, obtaining a credential with elevated privileges—providing access to additional privileged credentials—is the ultimate hacker’s prize.
7. Security Assessment
CMMC 2.0 requires contractors to conduct regular security assessments to identify and address cybersecurity risks. These assessments should be conducted by qualified cybersecurity professionals and should include vulnerability scans and penetration testing.
8. Supply Chain Management:
CMMC 2.0 includes new requirements for supply chain management, including the assessment of cybersecurity risks posed by third-party vendors and the implementation of contractual requirements for cybersecurity.
9. Employee Awareness Training
CMMC 2.0 requires contractors to provide cybersecurity awareness training to all employees on a regular basis. This training should cover topics such as phishing attacks, password security, and safe internet browsing practices.
10. Incident Reporting
CMMC 2.0 requires contractors to report cybersecurity incidents to the DoD within a specified timeframe. Contractors must also report any changes to their cybersecurity posture that may impact their CMMC certification status.
Overall, the new requirements in CMMC 2.0 are designed to improve the cybersecurity readiness of DoD contractors and provide a standardized approach to assessing their cybersecurity capabilities. While achieving each maturity level may require a significant investment of time and resources, the benefits of achieving certification can be substantial, including increased opportunities to bid on DoD contracts and improved cybersecurity readiness.
The Cybersecurity Maturity Model Certification (CMMC) is available in the Axio360 platform. You can get started today by completing a Level 1 and Level 2 assessment—the core building blocks necessary to achieve compliance. Please contact us to discuss licensing options if you’d like to learn more about our CMMC offerings.