My last column for CompanyWeek detailed the new compliance requirement for businesses working with the DoD; the requirement is Cybersecurity Maturity Model Certification (CMMC) certification. The CMMC model is designed to protect the covered defense information that is in all DoD contracts and the covered defense information that may be produced by the defense contractor. The model consists of five levels with each higher level incorporating increasing levels of security. The goal is for all 300,000 companies in the defense industrial base to be audited and certified compliant by 2026.
Essentially, CMMC compliance certification will be a baseline requirement. The bottom line: With the appropriate certification level, there will be access to contracts; without certification, a company will be deemed unqualified.
Information security compliance requirements are nothing new, and in many industries, they have been around for years. In healthcare, the requirement is the Healthcare Insurance Portability Accountability Act (HIPAA), which requires the safeguarding of patient information. In finance, one of the requirements is the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999. The requirement is to protect customer financial information.
Then there are the International Organization for Standardization (ISO) standards, the most common is ISO 9001, which is a quality management process, and there is the ISO 27001, which is an information security standard. In the construction industry, there are standards for design, environmental, construction, and the experience modification rating (EMR). The EMR rating is used to price workers' compensation insurance premiums; it is a way to assign workplace loss and risk to a company. With a high EMR rating, a construction company is going to find it impossible to be awarded a large prime contract or to be hired as a subcontractor. Increasingly meeting industry-specific compliance requirements is no longer an option; it is a decision point. If the business strategy is to work in a specific industry sector, then meeting the compliance requirement is mandatory.
In terms of working within the defense industrial base, in terms of being a defense contractor, meeting the appropriate CMMC Level is mandatory, and meeting the compliance requirements is an investment in resources. As mentioned, there are five levels; most companies will be Level 1, which is 17 practices or requirements; by comparison at Level 5, there are 171 practices. These 17 Level 1 practices include the 15 security practices that were mandated for all Federal contracts in June 2016. Within the CMMC mode, Level 1 is the minimum set of practices needed to achieve basic cyber-hygiene. In meeting the CMMC model requirements, it is important to realize that it is focused on system security; it is not a cybersecurity plan, and it is not an IT security model. The model is focused on viewing security in terms of a holistic and all-hazards approach.
In broad terms, cybersecurity or system security should not be considered a single purpose effort with only one benefit, that is achieving CMMC model compliance. The reality is that all businesses, federal contractors or not, need to protect their information and information systems. The CMMC model, with its practice requirements, is focused on protecting covered defense information. However, all businesses have company controlled information that too needs to be equally protected. This company-controlled information includes financial data, customer and employee information, company intellectual property, and the like. In addition, most companies need to protect access to their information management system, and without access, the company cannot function. Also, companies rely on data and the accuracy of the data, and the confidence of the system users in the data needs to be assured and protected.
Essentially, the practice requirements in the CMMC model need to be viewed as a list of universal best practices for securing the company's information management system. The threat should not be viewed as only directed toward government information; the threat is directed to exploiting system vulnerabilities wherever they can be found. Most importantly, most small businesses are out of business, six months after a cyberattack.
Subsequent articles in this series will cover the specifics of what companies can do to secure their management information system and meet the 17, CMMC Level 1 requirements. The next article will cover system access control, followed by physical access control, and then system integrity requirements. Meeting these 17 requirements in terms of the CMMC model is meeting the requirement for basic cyber-hygiene. These are also the controls that will serve to protect the company's controlled information and the company's information management system. Essentially putting in place, these Level 1 practices will aid in meeting CMMC Level 1 compliance and will help in making the information management system secure.
With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171 Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at firstname.lastname@example.org.