In 2021, the Department of Defense announced a new strategic effort to provide enhanced cybersecurity efforts for their building projects going forward. The Cybersecurity Maturity Model Certification (CMMC) will ensure accountability for companies to implement cybersecurity standards to protect sensitive data during the design, build and operations of DoD facilities. Through research grants by the John R. Gentille Foundation and Electri Foundation, a video series has been produced by MCAA’s Chief Security Fanatic, Nick Espinosa to provide an update on the process.
Recently, the DoD has updated their timeline for CMMC and plan on publishing their initial requirements in March 2023 for the 60-day review and comment period. Once completed, the first phase of CMMC compliance will go into effect with a self-assessment that must be completed by every contractor working on a DoD project. The second phase, which requires third-party auditing of a contractor’s cybersecurity practices has not yet been established, but projected to take place in 2025.
The CMMC program includes cyber protection standards for companies in the defense industrial base (DIB). By incorporating cybersecurity standards into acquisition programs, CMMC provides the Department assurance that contractors and subcontractors are meeting DoD’s cybersecurity requirements. For plumbing, mechanical and service contractors working on DoD projects, this means that they will have to document and upgrade safe data practices, increase the security level of their software and certify that these standards have been met through third-party auditors.
Eleven new cybersecurity best practices videos have been added to the series and as the standard develops, the John R. Gentille Foundation will provide additional videos and materials. These are practical for all contractors, not just those working on DoD projects in order to protect your business and your customers. This includes:
- Selecting Good Backup Providers
- Key IT and Cybersecurity Management Tools
- Core Network and User Policies
- Selecting a Next Generation Firewall
- Selecting a Cloud Based Spam Filter
- Selecting an Identity Management Provider
- Selecting an Endpoint Detection Response Platform
- Selecting an Digital Rights Management and Data Loss Prevention Provider
- Choosing the Right Cyber Insurance Provider
- Creating a Good Contingency Plan
- Role Based Cyber Awareness Training