06.21.21 | Operations Chat
The enormous supply chain for the U.S. military is comprised of an estimated 300,000 businesses, including wholesalers, distributors, retailers, suppliers, and sub-suppliers, among many diverse organizations. If your business falls into this category, the U.S. Department of Defense (DOD) has developed a new and tougher standard for cybersecurity known as the Cybersecurity Maturity Model Certification (CMMC). By 2025 all contracts will require CMMC certification.
It’s clear that your organization will eventually need to meet this standard or risk losing DOD contracts. The need is fairly obvious. Cyberattacks continue to grow, and cybercriminals are getting more sophisticated.
The CMMC has five levels:
Level 1: Basic
Level 2: Intermediate
Level 3: Good
Level 4: Proactive
Level 5: Advanced & Progressive
The demands on your controls and processes grow as you progress through the levels. To get started on your preparations, it is advisable to follow these steps:
PERFORM A RISK ASSESSMENT: Review the controls and processes your organization already has in place and determine how they correlate with the CMMC level you wish to achieve, at least initially.
INITIATE A MITIGATION PLAN: Based on the results of your risk assessment, identify what you need to do to improve any control weaknesses or what additional controls you now need to introduce in light of CMMC demands.
TAKE ACTION AND SET GOALS: Leverage your organizational skills and outline how you will achieve your mitigation goals, in what order, and on a predetermined deadline. Among the many issues you need to address are establishing new policies, employee training, vendor due diligence, among many others.
IDENTIFY TECHNOLOGY NEEDS: Fulfilling your CMMC requirements will likely involve the assistance of additional technology. As an example, control mapping will help you identify if your existing controls are able to meet CMMC needs. Any financial investment in technology should be weighed against the potential for lost DOD contracts.
AUDIT YOURSELF: If and when you think you are ready for CMMC certification, perform an internal audit.
In this way, you can catch any gaps or omissions and remediate them ahead of a third-party assessor who will be making its own determination for the DOD.
I have only touched lightly on the steps you need to take in order to prepare for CMMC certification and will go into more detail in a future article.
If you have any questions, I can be reached at 212.331.7448 | email@example.com or contact your Berdon advisor.
Alexander Moshinsky, Director of Operational Advisory and Risk Management at Berdon LLP, brings more than 25 years of experience in the financial services, real estate, and other sectors — working with major institutions and government regulatory agencies, including broker-dealers and dark pool network operators.