Increasing the security and visibility of the entire chain
Security in the supply chain is presently one of the industry's main challenges. This applies to many industries, perhaps especially the defence industry. CMMC (Cyber Security Maturity Model Certification) is a framework defined by the US Department of Defense to enhance the cybersecurity of companies that deliver solutions to the US military. Certification in compliance with this model will be required by all companies included in this supply chain, estimated at around 350,000 companies to protect sensitive unclassified information (CUI=Controlled Unclassified Information). Shortly, certification will be required to participate in procurements, so it is high time to start implementation. The purpose of the certification is to increase security and resilience throughout the chain.
CMMC is based on other standards and frameworks such as NIST 800-171, NIST 800-53, CSF, ISO 27002, CIS v7 and Secure Controls Framework, and has been developed by the US military together with industry and academia. The model is based on five different maturity levels that represent a company's level of security in terms of technology, processes and behaviour. Level 1 entails a basic level of cybersecurity, while level 5 is an advanced level.
DFARS, which is the regulatory framework that governs government procurement in the field of defense in the United States, has at the end of 2020 issued a number of interim rules to speed up the implementation of the new framework. This means, among other things, that suppliers must carry out and report a self-assessment against NIST 800-171. The result of the self-assessment must be reported in DoD´s Supplier Performance Risk Systems (SPRS).
About Cybersecurity Maturity Model Certification
- Version 1.0 of the standard was published on 31 January 31 2020.
- Mandatory for any company that wants to do business with the US military.
- Valid from autumn of 2020. If compliance cannot be demonstrated, companies can be excluded from procurements.
- There are five maturity levels to certify against. The applicable level is determined for each procurement but depends on the type of activity and need for protection.
- Certification is required by an independent third party.