How will Primes and Subcontractors maintain compliance?
A change is coming for government contractors who provide goods and services to the U.S. Department of Defense. In 2020, contractors will be required to comply with the recently announced Cybersecurity Maturity Model Certification (CMMC) process.
CMMC stands for Cybersecurity Maturity Model Certification. It is the latest security framework mandated by the Department of Defense (DoD) for any contractor that sells into the DoD. It outlines a range of security maturity levels that must be met and will be used by the DoD as a qualification criterion for RFPs and vendor selection.
In 2015 the DoD identified specific cyber requirements in the Defense Federal Acquisition Regulation Supplement (DFARS) (252.204-7008 and 252.204.7012). DFARS required DoD contractors to adopt cybersecurity processes and standards created by the National Institute of Standards and Technology (NIST). All government contractors needed to represent that they had implemented the requirements of the NIST SP 800-171 by the end 2017. The framework, NIST SP 800-171, was part of a broad government initiative to protect the DoD supply chain from cyber threats and other security risks.
The framework required contractors to “self-attest” that they had met the requirements of NIST 800-171. It became apparent that this did not go far enough and CMMC was introduced to take the NIST 800-171 framework, add new levels of controls and levels of security maturity, and now require contractors to be officially certified. The intent is to bring even higher levels of assurance to protect DoD assets. The framework defines cybersecurity practices at the highest level by domains. Each domain is then segmented by capabilities, and capabilities identify contractor achievements that ensure cybersecurity requirements are met within each domain. DoD contractors will need to demonstrate compliance with required capabilities by showing adherence to practices and processes that have been mapped across the five maturity levels of CMMC.
The CMMC Accreditation Body (AB) will accredit CMMC Third Party Assessment Organizations (C3PAOs). Companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.
While CMMC has been rolled out, organizations are still awaiting the list of C3PAOs. As such for an organization to work in the current environment they must meet the NIST SP 800-171 requirements and in anticipation of future contracts make sure they are prepared for CMMC certification.
The challenge resides in how to meet both requirements. While NIST SP 800-171 will be a subset of CMMC, how can an organization go about preparing for both without adding extra layers of cost and work? Ideally they should work in a fashion that incorporates both frameworks and allows for proper reporting on each.
Working with providers who understand how to leverage these requirements will allow an organization to make sure they are ready now and for future contracts. Utilizing software that harmonizes both frameworks and can provide the requisite reports and information to meet the current NIST 800-171 and future CMMC certification requirements will help in assuring ongoing and future business.
Learn how SureShield can assist in this process.
In response to the increasing trend of cyber threats, the Department of Defense (DoD) recently implemented a new cybersecurity standard for contractors who work with the US Military Services in order to be assured that its vendors are adequately securing their confidential data. In one of the biggest-ever changes to Defense contracting, the Cybersecurity Maturity Model Certification or CMMC now requires contractors to go through five-tiers of network security controls that will need to be checked by third-party assessors. Getting a CMMC Assessment will now be an added cost that contractors in the Defense sector have to bear and only those who provide commercial off-the-shelf products or services will be exempt.
The Cybersecurity Maturity Model Certification combines certifications into a unified cybersecurity standard and will assess the maturity of an organization’s cyber risk mitigation practices. Defense Industrial Base (DIB) partners as well as contractors are required to meet the DoD’s new CMMC guidelines to bid on future projects.
How did the change in CMMC requirements come about?
The USA loses a whopping USD 6 Billion a year to adversaries due to exfiltration, data rights and R&D losses. With robust cybersecurity protocols in place, the loss may be reduced by 10% or more, money better utilized by reinvesting in partners in the industrial base to give the country a competitive edge. In other words, the changes in requirements are a reflection of the Pentagon’s endeavors to protect defense industrial base networks and controlled unclassified information from cyber attacks.
What do the CMMC rules entail?
CMMC rules will require contractors to be certified by third-party auditors to ensure that companies are adhering to certain standards. Organizations will be required to meet different levels of security, with level one being the lowest (basic cyber hygiene) and level five being the most stringent (proactive and advanced cyber practices). Each level consists of practices and processes that a contractor must follow if he wishes to achieve that level of certification.
The five levels correlate to the following:
- Level 1 – Safeguard Federal Contract Information (FCI)
- Level 2 – Serve as a transition step in cybersecurity maturity progression to protect CUI
- Level 3 – Protect Uncontrolled, Unclassified Information (CUI)
- Level 4 and 5 – Protect CUI and reduce the risk of Advanced Persistent Threats (APTs)
To adequately prepare, an organization will need to do the following:
- Do Readiness Assessment and Gap Analysis
- Create aRemediation Plan
- Monitor and Report on findings
- Prepare a System Security Plan (SSP)
How SureShield Can Help
SureShield software can be utilized to streamline all the above processes. The solution can be used to conduct a readiness assessment and gap analysis based on the CMMC framework, identify gaps and provide a remediation plan with associated reporting and output the System Security Plan that will be required for certification. Next, we help you secure and prove to the CMMC Auditor that all key risks are understood and effectively managed by establishing a methodology to conduct risk assessment. Lastly, we build and execute a risk mitigation plan to help you get your CMMC certification by fixing gaps that need to be addressed for you to implement an actionable Risk Treatment Plan.