Insight
CMMC 2.0: The New Cybersecurity Program
ABS Quality Evaluations
In 2021, The U.S. Department of Defense (DoD) instituted a requirement for all members of the Defense Industrial Base (DIB) and would-be contractors to comply with the Cybersecurity Maturity Model Certification (CMMC). Once revisions are finalized, CMMC 2.0 is expected to become a requirement by the fall of 2023.
Because of the similarities between ISO 27001:2022, the world's best-known Information Security Management System (ISMS) standard, the Defense Federal Acquisition Regulation Supplement (DFARS) and the National Institute of Standards and Technology's Special Publication 800-171 (NIST SP 800-171), organizations are questioning if they can forego CMMC 2.0 certification and comply only to the ISO 27001 standard, NIST 800-171 special publication or the supplemental requirements. The short answer is NO. There is no substitute for CMMC 2.0 program if you want to meet the requirements established by the DoD.
A New Outline for Information Verification
The CMMC 2.0 program was created to ensure that DIB members follow the established practices in NIST 800-171 and DFARS to secure controlled unclassified information (CUI) and federal contract information (FCI) within the DoD supply chain. It provides a verification and certification framework for organizations to demonstrate their cybersecurity posture to stakeholders and ensure compliance.
Upon its final revision, certifying to CMMC 2.0 will become mandatory for all organizations seeking to work with the DoD . There are three (3) different levels of certification based on the type of information an organization is tasked with protecting. Depending on which of the three levels your organization falls under, the certification process can include a third-party assessment, formal certification, self-assessment and an annual assessment to maintain certification.
ISO 27001 – The Outline for Managing Data Security
ISO 27001:2022 is an international standard that focuses on Information Security Management Systems (ISMS) and defines the individual requirements that an organization must meet to comply. This standard applies to the entire ISMS instead of a singular facet. There is a single certification process to comply with that requires an audit and formal certification from a recognized certification body to be re-certified every three years along with yearly surveillance audits by the certification body. The standard is not a requirement, but compliance shows the organization's commitment to putting a system in place to better manage the risks related to data security for the organization itself, its stakeholders and customers.
ISO 27001 vs. CMMC 2.0
Certifying to the ISO 27001 standard ensures that your ISMS is operating efficiently and meets the standard's requirements. The standard also ensures that you are continually looking to improve your cybersecurity efforts. The CMMC program leaves no room for choice as it verifies that your organization is meeting the requirements detailed by the DoD in order to operate within its supply chain and as a member of the DIB.
NIST SP 800-171 – The Outline for Protecting CUI
NIST 800-171 is a publication that outlines the required security standards and practices for non-federal organizations that handle CUI on their networks. Compliance with NIST SP 800-171 is not a new requirement. This publication has been a requirement for organizations involved in supply chains tied to government contracts. However, after finding organizations that were not in compliance, the DoD acted by creating CMMC. The CMMC program is a verification that NIST SP 800-171 has been correctly applied.
NIST SP 800-171 vs. CMMC 2.0
NIST SP 800-171 is a set of security requirements that organizations must implement to comply with federal regulations for individual organizations, while CMMC 2.0 is a certification program that verifies the organization's compliance with the requirements. The intent of NIST certification and its verification is to enforce the protection of sensitive unclassified information that is shared by the DoD with its contractors and subcontractors and assure the DoD's requirements are being followed.
Complementary But Not the Same
The cybersecurity certification you need to implement depends on your organization's goals. If you are a member of the DIB or are seeking to work with the DoD, you are required to meet the CMMC 2.0 requirements to be considered.
To ensure that your ISMS is secure and able to protect your organization's sensitive information, you should consider the implementation of the ISO 27001:2022 standard, whether you have the CMMC 2.0 certification or not.
If you are unsure about the certification your organization requires, our team of experts is prepared to guide your organization as you seek to improve the security and safety of your operations. With our holistic and encompassing process, we can assist your organization in assessing for the implementation of a mature cybersecurity program and certifying to the CMMC program.
Why ABS Quality Evaluations?
We're a global leader in Certified Performance.
ABS QE is a Certified Third-Party Assessor Organization (C3PAO) authorized by the Cyber Accreditation Body (Cyber AB) and a licensed training provider (LTP) certified by the Cybersecurity Assessor and Instructor Certification Organization (CAICO) to provide CMMC assessment services and training.
Our cybersecurity services include CMMC training, self-assessments, readiness reviews, gap assessments, Joint Surveillance Voluntary Assessment Program (JSVAP) assistance and certifications for ISO/IEC 20000, ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27017, ISO/IEC 27018 and ISO/IEC 27701, among others.
