Security in the supply chain is presently one of the industry's main challenges. This applies to many industries, perhaps especially the defence industry. CMMC (Cybersecurity Maturity Model Certification) is a standard defined by the US Department of Defense to enhance the cybersecurity of companies that deliver solutions to the US military. Certification in compliance with this model will be required by all companies included in this supply chain, estimated at around 350,000 companies. As early as this autumn, certification will be required to participate in procurements, so it is high time to start implementation. The purpose of the certification is to increase security and visibility throughout the chain.
CMMC is based on other standards such as NIST 800-171, GIST 800-53, CSF, ISO 27002, CIS v7 and Secure Controls Framework, and has been developed by the US military together with industry and academia. The model is based on five different maturity levels that represent a company's level of security in terms of technology, processes and behaviour. Level 1 entails a basic level of cybersecurity, while level 5 is an advanced level.
Combitech works with a six-step model for implementation and compliance with CMMC. The model is adapted together with the customer to meet the specific needs that exist.
Examples of approaches:
1. Define goals and scope
2. Start with analysis of the organization and the present situation
3. Identify gaps and deficiencies against the controls at the selected level of CMMC. Technology, processes and organization and awareness are included.
4. Develop a CMMC compliance plan. Identified gaps and deficiencies must be addressed. Examples of basic areas of CMMC – see model at the left
5. Create an organization for handling deficiencies and enforcement.
6. Implement the plan and ensure continuous compliance through, among other things, integration of measures in existing processes.