ISO, NIST, CMMC — if the alphabet soup of cybersecurity frameworks has you confused, we’ve got you covered. In the latest episode of the Faegre Drinker on Law and Technology Podcast, host Jason G. Weiss chats with guest Jim Watkins, former deputy laboratory director in the FBI’s Orange County Crime Lab and current certified technical assessor for the ANSI National Accreditation Board, about some of the more prominent cybersecurity frameworks, the process of cybersecurity assessments, how compliance issues are addressed, and what’s the difference between self-assessment, self-certification, and accreditation, and how a skilled attorney can make all the difference in getting accredited.
On September 1, 2020, Department of Defense (DoD) contractors will be required to comply with the recently released Cybersecurity Maturity Model Certification (CMMC) requirements. The CMMC requirements are designed to ensure that suppliers, contractors and subcontractors working with the DoD’s Office of Acquisition and Sustainment have cybersecurity frameworks in place “to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).” Through the creation of the CMMC, DoD appears to be enhancing the requirements of NIST 800-171, ISO 27001 and other cybersecurity-related frameworks.
The CMMC model delineates five “maturity” levels, with level 1 being the least secure and level 5 being the most secure. Once the CMMC takes effect, DoD will assign all solicitations an appropriate maturity level that bidders must be able to meet if they wish to bid on the solicitation.