The U.S. Department of Defense (DOD) now requires that contractors and subcontractors bidding on—and winning—contracts meet Cybersecurity Maturity Model Certification (CMMC) requirements.
The DOD adopted CMMC just prior to 2021 to enforce the protection of federal contract information and ensure control of unclassified information throughout its supply chain. That information is referred to as Controlled Unclassified Information (CUI). It is defined as digital and physical information created by a government or entity on its behalf that, while not classified, is still sensitive and requires protection. Even though it isn’t classified, this information can be secret or top secret. Past supply-chain breaches that may have exposed some of this very sensitive information that could adversely impact national security have made headlines. The Solar Winds hack that impacted nearly 40 defense companies last year is one example.
CMMC: a tiered maturity model
If your company is—or wants to be—entrusted with national security information, CMMC requires you to implement cybersecurity standards at progressively advanced levels based on the type and sensitivity of the information you handle. The program also defines the process for information flows to subcontractors. While the CMMC model can be daunting when taken in total, it’s essential to start the process as soon as possible because achieving compliance takes time and effort. But starting now also spells faster opportunities because, with the implementation of CMMC 2.0, the DOD now intends to award contracts to companies with a Plan of Actions and Milestones (POA&M) in place to complete CMMC requirements. So, you can land contracts now as you work toward achieving full compliance.
Start with a gap analysis
A U.S. National Institute of Standards and Technology (NIST) SP 800-171 gap analysis should be at the top of your CMMC compliance checklist. SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, was created in response to today’s evolving cyber threats and adopted by CMMC. SP 800-171’s guidelines define how CUI should be securely accessed, transmitted, and stored in nonfederal information systems and organizations, falling into four main categories:
- Controls and processes for managing and protecting information
- Monitoring and management of IT systems
- Clear practices and procedures for end users
- Implementation of technological and physical security measures
Given the challenges that come with CMMC compliance, it’s worth considering jumpstarting your program by working with an experienced CMMC cyber defense team to perform your gap analysis for each of these areas. Supported by experts in compliance and governance assessment, you can identify where you need to focus your efforts to meet your maturity model requirements.
Moving up the CMMC maturity tiers
CMMC Model 2.0 includes three tiers:
CMMC Level 1: Foundational
For Level 1 CMMC compliance, you must implement 17 controls spelled out from NIST SP 800-171 and submit an annual self-assessment to the DOD using the Supplier Performance Risk System (SPRS).
And when reviewing cloud providers, you should check for adherence to SP 800-171. That’s relevant because compliance indicates that the provider enforces a secure control plane, as required by CMMC.
CMMC Level 2: Advanced
CMMC Level 2 compliance requires implementing the 110 controls in NIST SP 800-171. You must also submit an annual assessment. In some cases, if your company handles critical national security information, an independent triennial evaluation performed by a CMMC Third Party Assessment Organization (C3PAO) may be required.
CMMC Level 3: Expert
The highest maturity tier, Level 3 compliance requires that you have the NIST SP-800-171 controls in place as well as a subset of controls from NIST-SP-800-172 before undergoing a triennial government-led assessment. Because CMMC 2.0 was just introduced, the DOD is still developing the requirements for this level.
Security basics: The heart of CMMC
CMMC spells out in detail what you need to do to achieve compliance. Here again, expert guidance can be invaluable in implementing your CMMC maturity program effectively and efficiently. That said, at its core, compliance is all about security. In its overview of implementation, CMMC lists five security-related steps you should take:
1. Educate people on cyber threats
As with every organization, your employees are your front-line defense against cybersecurity attacks and ransomware. With that in mind, establishing a cybersecurity awareness training program is a crucial first step in bolstering your defenses. Training your employees regularly helps them recognize and avoid cyber threats. Your program should include baseline testing using mock attacks and continuous assessment through simulated phishing, vishing (video phishing), and smishing (SMS phishing) attacks. It should also produce actionable metrics that give you insights into the effectiveness of the training so you can continually improve your program.
2. Implement access controls
Network access controls keep unauthorized users and devices out of your network. You can learn more about how to implement effective access controls in this recent blog from our CEO.
3. Authenticate users
Use multi-factor authentication (MFA) and other tools and technologies like cloud zero trust network access to ensure that every device that connects to your network is authenticated and behind a firewall.
4. Monitor your physical space
Security in the real world matters just as much as it does in the digital world. So, make sure your facilities are secure from malicious entry, natural disasters, or other unforeseen circumstances that could put your data and infrastructure at risk.
5. Update security protections
Diligence in keeping your backend infrastructure patched, protected, and up to date is also a foundational element of CMMC—and good digital hygiene. Make sure every aspect of your infrastructure is ready for whatever threats come your way.
Thank you for trusting us to help with your cybersecurity and compliance needs.
Contact us any time—we’re always happy to help.
Jon
