In March 2020, Visser Precision Manufacturing confirmed it was \u201cthe recent target of a criminal cybersecurity incident, including access to or theft of data.\u201d Visser Precision, a Denver, Colorado-based manufacturer, makes custom parts for many industries, including Lockheed Martin, Boeing, General Dynamics, and SpaceX.<\/p>\n\n\n\n
Security researchers say the DoppelPaymer ransomware caused the attack, a file-encrypting malware that first exfiltrates the company\u2019s data before encrypting the victim\u2019s computer then exposes the files. The ransomware threatens to publish the stolen files if the ransom is not paid.<\/p>\n\n\n\n
The Department of Defense (DoD) has one of the world\u2019s largest supply chains, including thousands of third-party contractors. The vendors and partners represent the weakest cyber link in the nation\u2019s defense infrastructure and present a substantial cyber risk.<\/p>\n\n\n\n
In this series of blogs, \u201cEverything You Need to Know About DoD CMMC,\u201d we will discuss the Cybersecurity Maturity Model Certification, known as \u201cCMMC.\u201d Today\u2019s article is the second in the series, and it’s about the CMMC model.<\/p>\n\n\n\n
What is CMMC?<\/strong><\/strong><\/p>\n\n\n\n CMMC stands for \u201cCybersecurity Maturity Model Certification\u201d. The CMMC will encompass multiple maturity levels that range from \u201cBasic Cybersecurity Hygiene\u201d to \u201cAdvanced\/Progressive\u201d.<\/p>\n\n\n\n The CMMC is incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS) and used as a contract award requirement.<\/p>\n\n\n\n The new CMMC framework is used to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).<\/p>\n\n\n\n The CMMC is intended to serve as a verification and validation mechanism to ensure appropriate levels of cybersecurity practices and processes to ensure basic cyber hygiene and protect controlled unclassified information (CUI) that resides on the Department\u2019s industry partners\u2019 networks.<\/p>\n\n\n\n Purpose<\/strong><\/p>\n\n\n\n To protect from cyber-attacks, DoD wants vendors to secure the following types of unclassified information from adversaries:<\/p>\n\n\n\n Federal Contract Information:<\/strong> The information is not intended for public release. FCI data is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public on public-website.<\/p>\n\n\n\n Controlled Unclassified Information:<\/strong> CUI does not include classified information. CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government. CUI is considered any potentially sensitive, unclassified data that require controls in place which define its proper safeguarding or dissemination.<\/p>\n\n\n\n CMMC Model<\/strong><\/strong><\/p>\n\n\n\n The first version released on January 31, 2020 (since then, two updates have been introduced), the model articulates several requirements that contractors must meet to qualify for various cybersecurity maturity certifications.<\/p>\n\n\n\n Those certifications encompass multiple maturity levels, Level 1, \u201cBasic cybersecurity hygiene,\u201d to Level 5, \u201cHighly advanced cybersecurity practices.\u201d These certifications are likely to be mandated in RFPs beginning as early as this year. The RFP will state the CMMC level L and M and use it in \u201cgo\/no go decisions\u201d.<\/p>\n\n\n\n The vendors must perform CMMC audits to become certified and continue to offer their products and services to the DoD.<\/p>\n\n\n\n The CMMC model combines various cybersecurity control standards such as NIST SP 800-171 (Rev. 1 & Rev. B), NIST SP 800-53, ISO 27001, ISO 27032, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 and inputs from DoD and DIB into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC also measures the maturity of a company\u2019s institutionalization of cybersecurity practices and processes.<\/p>\n\n\n\n The CMMC model organizes Processes and Practices into a set of domains and five maturity levels. The framework aligns the practices to a group of capabilities. It categorizes these best practices into:<\/p>\n\n\n\n In March 2020, Visser Precision Manufacturing confirmed it was \u201cthe recent target of a criminal cybersecurity incident, including access to or theft of data.\u201d Visser…<\/p>\n","protected":false},"author":1,"featured_media":2741,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[84],"tags":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/posts\/2254"}],"collection":[{"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/comments?post=2254"}],"version-history":[{"count":1,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/posts\/2254\/revisions"}],"predecessor-version":[{"id":2255,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/posts\/2254\/revisions\/2255"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/media\/2741"}],"wp:attachment":[{"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/media?parent=2254"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/categories?post=2254"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.einnosec.com\/index.php\/wp-json\/wp\/v2\/tags?post=2254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}