For the Defense Industrial Base (DIB), the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) compliance requirement is the hot news topic of 2021. In fact, across the DIB market, CMMC compliance will probably stay a focus through at least 2025.
However, for the long term, many organizations are looking to understand the potential impact that CMMC will have outside the DIB. On January 21, the DoD’s CISO subtly announced that her agency is working with the Department of Homeland Security (DHS) to implement CMMC in their contracts. In other words, companies that contract with other agencies are starting to ask, “How do I get compliant efficiently and cost-effectively?” The answer should include looking to NIST 800-170, hardening their systems, and automating STIG compliance.
Why are agencies jumping on Cybersecurity Maturity Model Certification?
The short story is that CMMC offers the first federal compliance requirement that looks to create clear cybersecurity standards.
The real story is a little longer.
Any company that contracts with the DoD, or any federal agency, needs to meet various compliance requirements already. There’s ITAR, DFARS, FAR, NIST 800-171, NIST 800-53, NIST Cybersecurity Framework (CSF), and CERT Resilience Management Model. Cross-mapping all of these compliance standards is time-consuming, tedious, costly, and challenging. CMMC pulls from all of these, creating a single set of requirements that every DIB member can use to prove its cybersecurity posture.