The Cybersecurity Maturity Model Certification (CMMC) was officially launched on January 31st, ushering in a new era of visibility and accountability for defense contractors. CMMC brings sweeping changes on how the Department of Defense (DoD) views cybersecurity.
CMMC aims to build upon the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) frameworks by requiring every contractor to be audited and certified by a third-party auditor (3PAO). The model prescribes five levels of cybersecurity maturity that measure cybersecurity controls and processes and ensure alignment with relevant policies. Most importantly, this certification will eventually determine whether you will be able to bid on a DoD contract.
C3 Integrated Solutions provides defense contractors with the solutions they need to become CMMC compliant. Prior to the release of CMMC, we have worked with many contractors to support their pursuit of NIST 800-171 and DFARS 252.204-7012 compliance. We’ve been closely tracking the pre-release of CMMC and can leverage that experience to prepare you for CMMC.
Your first step toward compliance is to understand the CMMC framework, and how it will affect your company.
Here are our top ten things to know about CMMC:
- Do you have a DoD contract? This applies to you – yes, all of you.
Three hundred thousand companies are involved in the Defense Industrial Base (DIB) to some extent, whether they are contracting directly with the DoD or are subcontractors to larger firms. Regardless of the relationship to the DoD, all contractors will need to achieve at least Level 1.
- You should already be at Level 1
Level 1 parallels the FAR 52.204-21 requirements, which all federal contractors must meet. These 17 controls are all basic cyber hygiene and represent the minimum any contractor should have already deployed.
- CMMC is good for the industry
Seriously. In addition to the obvious need to protect our warfighting advantage and preserve our intellectual property, CMMC will create a new baseline that will ensure all contractors make meaningful investments in cybersecurity. This will level the playing field for those who are already doing the right thing.
- CMMC does not replace DFARS 252.204-7012
CMMC builds upon DFARS 252.204-7012 and NIST 800-171 by clarifying some controls and adding additional requirements. In fact, the DFARS clause is being re-written to embed the CMMC requirements. This update is to be released for public comment any day now and will be the trigger for the launch of CMMC requirements for contracts. Once finalized, CMMC will be a part of all RFPs for any contractor wishing to do business with the DoD.
- Shoot for Level 3 to start
If you hold any government data (or create data) in the performance of your contracts, you likely hold and least Federal Contract Information (FCI) and probably hold Controlled Unclassified Information (CUI). If you store, process, or transit CUI, you will need at least Level 3 certification. Also, if you hold export controlled (i.e. ITAR) data, that is considered CUI and it will be subject to at least Level 3 as well as additional ITAR-related data sovereignty rules. As a side note, the CMMC guidelines are still not clear about what type of data qualifies as Level 4 or 5.
- System boundaries matter
CMMC version 1.0 states that contractors can choose to “achieve a specific CMMC level for its entire enterprise network or for particular segment(s), or enclave(s), depending on where the information to be protected is handled and stored.” This is important because minimizing the systems that store, process, or transmit CUI data will allow you to minimize the attack services as well as lower costs of compliance. For example, do you have a cloud-based CRM? If you don’t put any government data in the system, you might be able to exclude it from your boundary.
- There is no silver bullet
Meeting the requirements of CMMC takes the integration of multiple solutions. Compliant platforms, encrypted assets, data back-ups, monitoring and management solutions all need to work together to eliminate cyber-vulnerabilities.
- Policies matter
Gone are the days where you could write a policy, stick it in a (virtual) desk drawer and forget about it until the next audit. CMMC requires the integration of policies into the practices that you put in place. For example, does your mobile device policy require all users to be enrolled in mobile device management (MDM)? You should be able to detail what is required for device compliance in order to enroll and run reports to verify the policy is being enforced.
- Look at your cloud platforms
If you use a SaaS solution, you need to evaluate whether that solution is “in-boundary”. If so, does it meet the CMMC requirements? Because CMMC is so new, it will be a little while before vendors actively promote whether they are compliant. However, many of the larger providers (i.e. Microsoft, Salesforce, Duo and more) have government versions of their products. These are dedicated versions that usually meet at least FedRAMP Moderate. As you evaluate your options, look for NIST 800-171 or even NIST 800-53 compliance as a good proxy for CMMC. (Note: If you hold ITAR data, there are significant additional requirements including data sovereignty that are incremental to CMMC.)
- Don’t wait
This takes time. If you are starting from scratch, you should plan for at least six months to get compliant. Writing policies, deploying solutions, and instituting the necessary culture changes are all efforts that take time. Finally, if you do not have a compliance expert on staff, make the investment to hire one, either internally or externally. There is still a lot of confusion in this space and it’s just not fair – or good practice for your company – to throw your IT manager into the deep end without any help.
Ready or not, it’s time to get started on the road to CMMC compliance. Our team is making every effort to stay on top of CMMC as it evolves. We help our clients configure or implement the proper technology to achieve compliance. Regardless if you are completely in the dark, or perhaps just have a couple of spots where you need assistance, we have the expertise to help.
This content was written by C3 Integrated Solutions, a leading provider of Microsoft Government Cloud solutions including Office 365 GCC, GCC High and Azure Government. With multiple Gold Competencies, we specialize in helping clients achieve CMMC and NIST 800-171 compliance by providing MSP, security and Office 365 integration services. Our approach provides personal service on your terms. To learn more, contact us at firstname.lastname@example.org or check out our website at www.c3isit.com.