The CMMC: Another Layer of Our Nation's Defense and a Chain of Compliance

By Jennifer Rothstein - Business Development Head, Insurance & Legal

“Cyber Insurance Insights” is a Blog Series that shares ideas, advice, and experiences from the BlueVoyant Professional Services team. The blogs discuss the lessons learned from assisting clients navigate post-breach insurance claims and pre-breach preparation.

The Cyber Security Maturity Model Certification (CMMC) is a new cyber security requirement for DoD contractors and subcontractors. While the DoD and its extended network - by definition - already protect our nation, now these requirements will further protect these protectors.

The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.

Contractors and subcontractors who handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) must be compliant. FCI is Government contract-related information that is not intended for public release. CUI is information created or possessed by or for the Government that a non-governmental agency is allowed to handle with the caveat that appropriate security controls are in place to protect that data.

There are five different levels of cyber security maturity that contractors may achieve:

• Level 1 (Performed): Basic Cyber hygiene is in place with selected practices documented where required. Practices are ad hoc.
• Level 2 (Documented): Level 1 + a policy exists that includes all activities. Practices are documented.
• Level 3 (Managed): Level 2 + adherence is verified through examination or test, and a plan exists, is maintained and resourced that includes all activities (mission goals, project plan, resourcing, training needed, and involvement of relevant stakeholders). Processes are guided by policy, maintained and followed.
• Level 4 (Reviewed): Level 3 + activities are reviewed and measured for effectiveness (results of the review are shared with higher-level management) and for issue resolution. Practices are periodically evaluated and revised.
• Level 5 (Optimizing): Level 4 + a standardized, documented approach across applicable organizational units. Practices are continuously improved and shared across the enterprise.

Certification may only be granted by a third-party accredited assessor; contractors cannot self-assess. The practice of complying with cyber security requirements is not a new one to this group. Prior to January 1, 2020, the applicable guidelines were NIST SP 800-171. Now the CMMC Levels 1-3 incorporate the 110 security requirements specific in NIST. However, in order to be awarded a contract for the DOD, each supplier must be certified – the requisite level will be stated in the RFP.

The Defense Industrial Base (DIB) is comprised of approximately 300k contractors who will be affected by the CMMC. Cyber security compliance, therefore, will be threading these contractors together – securing our supply chain in an unprecedented way. As our global economy continues to expand, and in particular, as we rely more and more on our remote workforce and delivery infrastructure, organizations need to understand their partners’ cyber security posture. An organization is only as strong as its weakest link and in the context of the DoD, the weakest link can lead to catastrophic damages.

The certification exercise and the critical preparation is not for CMMC alone. Along with data protection and information risk management, ultimately, most organizations conclude they have unacceptable levels of risk that either can’t be mitigated to a lesser risk or it is economically unfeasible to mitigate to an acceptable level. Ultimately, transferring those unacceptable risks to a best-in-class, broad cyber liability insurance program is highly recommended.

Instead of merely recommending an ‘insurance policy” we advocate for a strategic partnership for organizations to partner with an expert-led cyber insurance brokerage firm. This strategic partnership provides not only the insurance required, it provides you with proactive, preventative privacy and cyber risk services along with preparedness in identifying, containing, handling, responding and recovering from a cyber event that impacts your organization and your supply chain.

This article was originally published by CHART Magazine.