Security in the supply chain is presently one of the industry's main challenges. This applies to many industries, perhaps especially the defence industry. CMMC (Cyber Security Maturity Model Certification) is a framework defined by the US Department of Defense to enhance the cybersecurity of companies that deliver solutions to the US military. Certification in compliance with this model will be required by all companies included in this supply chain, estimated at around 350,000 companies to protect sensitive unclassified information (CUI=Controlled Unclassified Information). Shortly, certification will be required to participate in procurements, so it is high time to start implementation. The purpose of the certification is to increase security and resilience throughout the chain.
CMMC is based on other standards and frameworks such as NIST 800-171, NIST 800-53, CSF, ISO 27002, CIS v7 and Secure Controls Framework, and has been developed by the US military together with industry and academia. The model is based on five different maturity levels that represent a company's level of security in terms of technology, processes and behaviour. Level 1 entails a basic level of cybersecurity, while level 5 is an advanced level.
DFARS, which is the regulatory framework that governs government procurement in the field of defense in the United States, has at the end of 2020 issued a number of interim rules to speed up the implementation of the new framework. This means, among other things, that suppliers must carry out and report a self-assessment against NIST 800-171. The result of the self-assessment must be reported in DoD´s Supplier Performance Risk Systems (SPRS).
Combitech works with a six-step model for implementation and compliance with CMMC. The model is adapted together with the customer to meet the specific needs that exist.
Examples of approaches:
1. Define goals and scope
2. Start with analysis of the organization and the present situation
3. Identify gaps and deficiencies against the controls at the selected level of CMMC. Technology, processes and organization and awareness are included.
4. Develop a CMMC compliance plan. Identified gaps and deficiencies must be addressed. Examples of basic areas of CMMC – see model at the left
5. Create an organization for handling deficiencies and enforcement.
6. Implement the plan and ensure continuous compliance through, among other things, integration of measures in existing processes.