New DoD Cybersecurity Requirements

ISO 27001 Information Security Management System (ISMS)

The International Organization for Standardization (ISO) is a global body that collects and manages various standards for different disciplines. Certification to an ISO standard is internationally recognized. The ISO 27001 standard is a framework for an organization’s Information Security Management System (ISMS). ISO 27001 is widely used across the organizations that want to formalize and demonstrate their commitment to data protection. This ISO standard provides guidance on how data is controlled and used but does not mandate specific tools, solutions, or methods. This flexibility allows for organization across any industry to adopt and be certified to ISO 27001.

Cybersecurity Maturity Model Certification (CMMC)

The more prescriptive Cybersecurity Maturity Model Certification (CMMC) has been developed by the United States Department of Defense (DoD) and is a certification process used to test a company’s ability to protect Controlled Unclassified Information (CUI). The CMMC is a unified cybersecurity standard required for all contractors hoping to do work with the DoD. The CMMC is a method to audit contractor compliance with NIST SP 800-171 and has been adopted to combat the low rate of NIST 800-171 compliance across the Defense Industrial Base. The DoD will require companies bidding on defense contracts to certify that they meet some level of cybersecurity standards when responding to request for proposals.

Similarities:

Provides a series of controls with regard to Cybersecurity.

Certification requires independent and objective assessment.

Differences:

ISO 27001 CMMC
Applicable to organizational data as well as customer data Applicable to CUI
Focus on confidentiality, integrity, and availability of information Used to rank a company’s ability to protect CUI data
Certification is possible but not obligatory Certification is required in order to bid on certain contracts

Allows organizations to select controls based on risk assessment (Controls are listed in Annex A)

Controls must be implemented based on the CMMC level the organization is required to achieve specified in the contract

There are five certification levels that reflect the maturity and reliability of the organization’s cybersecurity infrastructure

Does not address Situational Awareness & Maintenance Explicitly calls out Situational Awareness & Maintenance
Any organization may adopt and/or be certified to ISO 27001 DoD contractors will be required to obtain CMMC certification. This may include suppliers at all tiers along the supply chain.

ISO 27001 can provide a foundation for implementing key components and practices of CMMC as many of the 27001 domains are in the CMMC model of controls (with the exception of Situational Awareness & Maintenance). An organization may be certified to both ISO 27001 as well as CMMC if the organization develops an ISMS with CMMC fully considered. Of course, certification to CMMC will require more resources and additional technology and tools. However, the significant overlap between the two standards paves the way for parallel certification which can prove cost and time effective.

CMMC Maturity Levels

The CMMC has five (5) defined levels of maturity, each with a set of supporting practices and processes as well as 171 practices.

Level 1 – Basic Cyber Hygiene
Level 2 – Intermediate (documented) Cyber Hygiene
Level 3 – Good Cyber Hygiene
Level 4 – Proactive
Level 5 – Advanced/Progressive

Certification to CMMC

Companies seeking CMMC certification should do the following:

  1. Identify the desired maturity level they want to be audited for
  2. Find and available third-party assessment organization
  3. Develop and implement your CMMC program based on your desired maturity level
  4. Undergo third-party assessment
  5. Resolve any issues found during third-party assessment within 90 days.

Timeline

The DoD has started to incorporate CMMC level requirements into its Requests for Proposals (RFPs) starting October 2020. CMMC implementation will be phased started 2021. By 2026 the DoD will require all companies doing business with it to be CMMC certified.

Best Practices

To get started on general Cybersecurity for your small to medium sized business you can incorporate some procedures such as using a firewall, documenting your cybersecurity policies, educate all your employees, enforce safe password practices, regularly backup data, use multifactor identification, and implement supplier/vendor policies related to data security.

For additional information with regard to CMMC, ISO 27001 Information Security Management System, or general questions with regard to management systems, contact us.