WHAT IS CMMC?
CMMC is the Cybersecurity Maturity Model Certification, - A newly introduced security framework now mandated by the Department of Defense (DoD) for any contractor that sells goods or services to the Department of Defense (DoD). CMMC specifies a range of security maturity levels and practices that must be met by any contractor and compliance must be demonstrable as a qualification criterion for RFPs, contract rewards, and renewals.
The Defense Federal Acquisition Regulation Supplement (DFARS) (252.204-7008 and 252.204.7012) establishes the need for contractors to protect Controlled Unclassified Information (CUI) by providing "adequate” protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. This DFARS clause requires compliance with NIST 800-171 on all “Covered Contractor Information Systems.” which will eventually be replaced with the CMMC requirements. This creates a new level of complexity for contractors who will need to comply with both NIST 800-171 and CMMC requirements
EASILY ESTABLISH CONTINUOUS CMMC COMPLIANCE MONITORING & REMEDIATION
Using SureShield, CMCC vendors will be able to perform activities required to achieve and maintain CMMC compliance:
A review of all security processes and policies as well as identification of security gap
Regular review and monitoring of all areas of compliance with remediation guidance
Automated generation of all required data and documents for SPRS submission - SSP, POA&M, and Compliance Scorecard
A living document that is automatically updated when substantial changes to an organization’s security profile.
Did You Know?
Companies that work with the US Department of Defense (DOD) will need to meet CMMC requirements to bid on future contracts.
Frequently Asked Questions
What is CMMC?
CMMC is the Cybersecurity Maturity Model Certification. It is the latest security framework mandated by the Department of Defense (DoD) for any contractor that sells into the DoD specifying a range of security maturity levels that must be met. They will be used by the DoD as a qualification criterion for RFPs and vendor selection.
Why was CMMC introduced?
In 2015 the DoD identified specific cyber requirements in the Defense Federal Acquisition Regulation Supplement (DFARS). DFARS required DoD contractors to adopt cybersecurity processes and standards created by the National Institute of Standards and Technology (NIST). All government contractors needed to represent that they had implemented the requirements of the NIST SP 800-171 as of December 2017. NIST SP 800-171, was part of the larger initiative to protect the DoD supply chain from cyber threats and other security risks. The DoD has expressed concern that the vast majority of defense industry contractors maintain only adequate security hygiene practices. Faced with unacceptable risks to Controlled Unclassified Information (CUI) stored on contractor systems, the DoD introduced CMMC to ensure that appropriate levels of cybersecurity protections and processes are in place. CMMC will replace the current ‘self-declaring’ model with third-party certification, and the resulting audit and certification process will establish compliance as a condition of doing business with the Defense Department.
Who needs to be CMMC certified?
All DoD contractors will be required to obtain a CMMC certification. This includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors and foreign suppliers. It will be a condition of working with the DOD or bidding on any contracts.
When does CMMC begin?
The DoD released CMMC Model version 1.0 to the public on January 31, 2020. Implementation is expected to begin in late 2020 or early 2021.
What are the requirements for CMMC certification?
The CMMC establishes five certification levels that reflect the maturity and reliability of a company's cybersecurity infrastructure to safeguard sensitive government information on contractors' information systems. The five levels are tiered and build upon each other's technical requirements. Each level requires compliance with the lower-level requirements and institutionalization of additional processes to implement specific cybersecurity-based practices. The DoD will specify the required CMMC level in Requests For Information (RFIs) and Requests for Proposals (RFPs)
How can my organization get ready for CMMC?
You should familiarize your organization with CMMC Model version 1.0 that was released to the public on January 31, 2020. NIST created the Self Assessment Handbook – NIST Handbook 162, as an aid for suppliers self-directing their certification initiative. The handbook details certification requirements for NIST SP 800-171 Rev. 2, which aligns with CMMC Level 3. Your organization can also look to Managed Service Providers that can assist the organization in preparing for certification. The process should start with a Readiness Assessment and Gap Analysis, a following remediation plan, ongoing monitoring and reporting, and a complete System Security Plan (SSP). This is not a static process and will need to be done continuously.
Who can assist my organization with CMMC preparation?
If you organization is large enough you can consider conducting and ongoing monitoring of this process with in house resources. Working with Managed Service Providers (MSP) with associated expertise may be a more cost effective, secure, a and efficient process
Why should I get CMMC certified?
If your organization wants to continue to earn business from the DOD or wants to participate in any DOD bids CMMC will be a requirement.
What tools can help my organization with CMMC certification?
Software tools that help conduct gap and risk analysis, identify security vulnerabilities and remediation processes, and lock down sensitive data and greatly help in a continuous readiness process. They can assist in identifying risk gaps and complete the System Security Plan (SSP) report that will required as part of certification.
How much loss in dollars has the DOD experienced with cyber hacks?
The DOD estimates that over $600 Billion a year is lost in exfiltration's, data rights, and R&D theft primarily du to poor cyber hygiene
How long does it take to achieve full CMMC compliance?
Achieving full compliance with CMMC practices depends on a lot of factors, based on your organizations work and operations. For example: How do you currently control and manage your company's devices - are they managed locally, remotely, or both ways? What are your practices for deploying software to remote machines? Do you have a firewall for your network? Do you have endpoint protection for user devices? Are current security configurations implemented on servers and workstations? For most organizations with established and more mature Information Technology practices in place achieving CMMC compliance can take as little as 6 - 8 weeks. However, for organizations with less mature Information Technology practices getting CMMC compliant could take much longer - closer to 3 - 4 months.
How can my organization engage with SureShield to work collaboratively towards achieving full CMMC compliance?
We at SureShield understand the importance and urgency for your organization to achieve CMMC compliance. Your organization can work with us directly by contracting with us for our ComplyShield solution for CMMC or through one of our MSP partners. Eitherways, the process begins with an onboarding phase to learn your organization's operating structure, current business practices, work processes and data flows, sensitive data types used and/or transacted, and critical IT assets you host within your organization. Following the onboarding, an baseline CMMC practices compliance assessment is conducted to evaluate the state of implementation of the controls and practices that apply to your company. After the baseline assessment the solution will provide your team with the required guidance to achieving compliance based on completion of "Action Plans".
Are you a third-party CMMC assessor?
No, we are not a third-party assessor ourselves, but a CMMC compliance software provider with deep knowledge of what is required to achieve compliance. As an organization, we are aligned and partner with third-party assessors that we can refer you to for your final CMMC controls compliance audit.
How does the ComplyShield solution support my CMMC compliance readiness and audit?
ComplyShield is a comprehensive compliance solution that allows you to establish a state of continued readiness, and fully supports all the documentation and supporting evidence required by auditors to demonstrate practice compliance. ComplyShield establishes a profile for your organization, allows you to get a baseline for your current state of compliance with CMMC controls and associated required practices, and then through an intelligent automated compliance decision support framework allows you and your staff to quickly establish the recommended compliance documentation for implemented practices, including providing you with needed document templates that serve as starter documents for you to establish for your own organization and to serve as evidence of compliance for auditors. All documents are saved and maintained in a secure ""document room"" within the application.
Think of ComplyShield as the ""intelligent compliance automation"" that is built by experts based on best practices, enabling your organization to establish a ""continuous compliance framework"" and maintain a state of continued compliance with minimal effort. This will enable your organization to achieve compliance within a short period of time and have a repository of all your evidences of compliance in a centralized repository. ComplyShield will establish and institutionalize cyber-hygiene within your organization - one of the key requirements of CMMC. In addition we have a team of experts that can provide audit support as and when required when an auditor come on-site.
How can SecurityShield help me?
SecurityShield augments the compliance posture by automating vulnerability scans. Risk Assessment requires an organization to scan the IT Infrastructure for vulnerabilities regularly and remediate them. SecurityShield provides a cloud managed and fully automated recurring vulnerability scan capability with prioritized remediation reports to effectively manage your vulnerabilities.
How can HackShield help me?
The primary goal of CMMC is to protect CUI/FCI. HackShield helps detect unprotected CUI in the IT infrastructure and transparently encrypts it, thus strengthening compliance. HackShield will ensure all CUI/FCI is protected in your IT Infrastructure while preventing data exfiltration effectively.
How can BreachShield help me?
BreachShield adds a layer of protection from breached information. BreachShield pro-actively monitors the Darkweb for any breached credentials or compromised hosts of your organization that could eventually lead to a security breach.
How can VendorShield help me?
The Defense Industrial Base consists of a few Prime Contractors and a large ecosystem of sub contractors. Such and environment requires an organization to not only ensure its own compliance but also the compliance of the supply chain. VendorShield provides an effective and automated solution for monitoring and addressing third-party risk to an organization.
How can SanctionShield help me?
The US Government regularly sanctions individuals and entities barring them from participating in Government business. For the Defense Industrial Base, it is necessary to regularly run sanctions checks on employees, vendors, etc. SAM.gov publishes an exclusion file used by many organizations for screening and/or compliance purposes. ... An exclusion record from SAM.gov indicates that the individual or organization listed is disqualified from receiving any federal government contracts. S.A.M. stands for System for Award Management. Similarly the Office of Foreign Assets Control (OFAC), a financial intelligence and enforcement agency of the U.S. Treasury Department, administers and enforces economic and trade sanctions in support of U.S. national security and foreign policy objectives. SanctionShield automates the process of checking your list of employees / contractors / Vendors against these sanctions lists and alert you on exceptions as and when they are detected.
Complete the form below to contact SureShield’s experts to learn more about IT Risk and Healthcare Compliance Software.
We will get back to you within 24 hours.