Initially introduced in 2020, Cybersecurity Maturity Model Certification (CMMC) establishes cybersecurity standards for defense contractors who handle sensitive information. It affects all contractors who perform work for the US Department of Defense (DoD).
Organizations that will need to demonstrate CMMC compliance may wonder what is required of them, and how video surveillance fits into their security strategy. In this blog, we’ll look at CMMC, how it pertains to video security cameras, and how you can use video surveillance to strengthen overall security compliance throughout your organization.
Cybersecurity Maturity Model Certification (CMMC) is a process created by the Defense Department to help ensure all defense industrial base (DIB) contractors meet cybersecurity standards and requirements of unclassified information.
CMMC describes five levels of certification, each of which establishes certain cybersecurity standards for defense contractors who handle sensitive information. It aims to protect sensitive data from cyberattacks, hacking, poor data hygiene, negligence, or other unsafe digital practices.
Initially introduced in 2020, CMMC requirements are being rolled out over time. It's expected that by 2026, all DoD contracts will require a minimum of Level 1 Certification.
The short answer is that all Department of Defense (DoD) contractors must comply with CMMC. However, the level of certification a contractor must meet varies, and is dependent on the nature of their work and the sensitivity of the data they handle.
For example, organizations handling very basic information will only need to achieve Level 1 Certification to comply. For those handling Controlled Unclassified Information (CUI), the requirement will be a higher level of compliance; a minimum of Level 3 will need to be achieved for those handling CUI.
The DoD has stated that lower-level certification requirements will not be the same certification levels required throughout its entire supply chain for a given contract. This means that there will be different certification levels necessary in a single contract when dealing with multiple organizations and contractors. Organizations must be agile and meet the appropriate level of compliance that satisfies the security requirements for a specifically requested tier.
Before CMMC’s introduction in 2020, contractors were responsible for their entire cybersecurity process. They implemented, monitored, evaluated, and certified the security of their information technology systems and any defense information they stored or transmitted.
Cybersecurity Maturity Model Certification (CMMC) shifts the evaluation and certification processes to a third party. Now, contractors are still responsible for implementing cybersecurity standards across their organization, but a contractor’s compliance and procedures must be evaluated by a third party.
The CMMC is made up of five certification levels that reflect the maturity and reliability of a company’s cybersecurity standards and processes. Different contractors and projects will require different certification levels depending on the sensitivity of the data they handle.
These tiered levels build upon one another’s technical requirements to achieve certification. An organization must comply with lower-level requirements and institutionalize different processes to implement cybersecurity practices of a higher level.
As of January 2022, the current accreditation procedures and accreditors have not yet been established. Details are expected to be available soon, and it is believed that by 2026 the CMMC will be fully implemented.
Organizations are encouraged to start certification efforts as early as possible so that what CMMC is finalized they will already be eligible for potential DoD projects or other government contracts that involve sensitive defense information.
The best way for an organization to prepare for the implementation of CMMC is to establish best practices and adhere to the CMMC guidelines stated above. It is recommended to begin the compliance process by first meeting the requirements in NIST 800-171.
CMMC compliance can be complicated, and Rhombus often addresses questions about video surveillance, security cameras, and federal requirements.
Many government and legal organizations use video surveillance to help secure their facilities and protect sensitive data. Because security cameras increase onsite security and accountability, federal contractors can use video security as part of their compliance strategy. When used alongside other cybersecurity best practices, video surveillance can help contractors reach CMMC compliance.
Rhombus has worked with numerous organizations that use cloud security cameras as part of their compliance strategy. Clients use Rhombus to help comply with CJIS, NIST, HIPAA, and more. We hope to aid anyone considering the use of security cameras in their organization to maintain robust cybersecurity protocols and meet compliance with CMMC.
NIST represents a high standard of cybersecurity and data privacy that all organizations should aspire to. For federal agencies in the United States, NIST compliance is required. Organizations that require NIST compliance may wonder how video surveillance fits into their security strategy. In this blog, we’ll look at NIST, how it pertains to video security cameras, and how you can use video surveillance to strengthen overall security compliance throughout your entire organization.
As workers return to the office in the midst of Omicron, staying safe in the workplace is top of mind for employers and employees alike. To create a safer work environment, organizations need to develop and follow COVID-19 workplace policies. The CDC recommends that businesses start by “identifying where and how workers might be exposed to COVID-19 at work”. But how do you identify and assess these health risks at your workplace? In this article, we’ll discuss how smart physical security tools can help you.
On December 9th 2021, the Apache Log4j project disclosed a zero day vulnerability that affects Log4j. This vulnerability is also known as Log4Shell. Upon learning of this exploit, Rhombus took immediate action to see if any of its services used Log4j. Our analysis over the last few days found the following.