With the new California Consumer Privacy Act coming into effect, companies are once again taking time to scrutinize their Information and Data Security plans, policies and procedures. Do I have the right measures in place? Am I doing enough to protect my customers data? With EU GDPR and now California’s CCPA, there’s certainly a growing trend around the regulation and protection of data, just as the risks and attacks become more significant.
Guidelines like the ones produced by the National Institute of Standards and Technology (NIST) – a government agency that develops technology, metrics, and standards – can help you understand and implement recommended security controls for information systems. In particular there is the NIST Cybersecurity Framework (https://www.nist.gov/cyberframework) which is specifically designed to help organizations better understand and improve their management of cybersecurity risk.
But it’s not just the measures within your company that need review. What about the businesses you rely on for goods and services? The supply chain could be the hidden Cybersecurity risk that you haven’t yet addressed. This can be a critical issue, especially for companies in the aerospace and defence sector where government rules such as Defense Federal Acquisition Regulation Supplement (DFARS) require that companies meet the standard described by NIST 800-171.
In fact, while currently adherence to these standards does not require any certification, the US Office of the Under Secretary of Defense for Acquisition & Sustainment is about to release the first version of a new Cybersecurity Maturity Model Certification. The aim of this new certification is to allow the DOD to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).
Version 1.0 of the CMMC is now available to review and Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes.
Companies will have some time to evaluate the requirements of the CMMC but they will not have the option to self certify.
But if you start now, you’ll have time to properly prepare for the upcoming change. So what’s the first step? A readiness assessment will let you clearly understand the cybersecurity measures, policies and procedures your company will need to get to certification. With this readiness assessment you’ll have an action plan you can get started on right away.
The same assessment should be applied to your suppliers. Understanding your suppliers readiness level will help you understand the risks over which you don’t have direct control.
To get your company started with CCPA, or to learn more, click the button below!