This week the U.S. Defense Department announced that businesses seeking to earn defense contracts will show that sensitive information can be stored safely.
The Pentagon is working on the certification of a cybersecurity maturity model (CMMC) programme, which includes the defense industry, government officials and the government. The structure sets out five qualification grades, each referring to the essential nature of the system or subsystem that an entrepreneur wants to work on.
The CMMC framework is expected to be available in January 2020, and the DoD plans are expected to include it in the selection process for contractors by June 2020.
The goal is to assess the technical ability and the sophistication of a company’s cybersecurity processes to ensure that its networks are able to protect themselves from attacks by adversaries who want to steal information on weapons and government contracts.
A third party will perform the inspections, and a number of companies will take up the task. The Department of Defense expects to decide who to perform the audits by January.
Cybersecurity is a threat to the DOD and the whole government, as well as critical US business sectors, including banking and healthcare,’ said Ellen Lord, the defense undersecretary for acquisition and maintenance. “We know that the adversary is with us every day at cyber war. This is therefore both a US economic security problem and a US security issue. I think it is absolutely important that we are transparent about whatexpectations[and] benchmarks, what the metrics are, and how we will effectively review them, as we look at cyber security standards. “Lord said it could be more difficult for small firms to comply with the CMMC specifications and that the DoD took steps to address issues.
“We know that this can be a burden for small enterprises in particular, and small businesses are the main source of our innovation,” said Lord. “We worked with the premiers, the industry associations, the mid-size businesses, and the small enterprises on how we can most effectively implement it, so that it does not impose a huge industrial base cost penalty.”