Sensitive data and information correlated to the U.S. Department of Defense (DoD) actions are hacked and compromised on a continuous basis and it is a problem for every DoD contractor. The U.S.federal government has put in place a severe and critical update to its cybersecurity model. The latest Cybersecurity Maturity Model Certification (CMMC) puts a huge and necessary focus on data within DoD contractors, subcontractors and supply chain organizations’ networks.
New as of January 31st is the Cybersecurity Maturity Model Certification (CMMC), which greatly impacts the Department of Defense (DoD). The CMMC changes how the DoD looks at cybersecurity and its goal is to better the National Institute of Standards and Technology (NIST) and the Defense Federal Acquisition Regulation Supplement (DFARS) by regulating that every contractor (DoD included) must be audited and then certified by a third-party auditor (3PAO).
The CMMC consists of five different levels that will analyze cybersecurity controls and make sure that they are in line with all required policies to obtain each level of CMMC compliance. The CMMC will essentially determine if one can bid on a DoD contract or not. Each government contractor will not be considered eligible unless they meet the applicable cybersecurity level.
Becoming compliant with the CMMC is a stipulation of the DoD and it is paramount to understand the framework behind CMMC and the effects it will have on your company. All companies that do and conduct business with the DoD must be certified. Let’s take a closer look at CMMC to gain a better understanding.
1. What is CMMC?
Cybersecurity Maturity Model Certification is an official certification of your organization’s cybersecurity. Five different levels make up the certification walking you through meeting each requirement. CMMC is the DoD’s work to make the Defense Industrial Base (DIB) secure.
The CMMC Model comprises many different standards that need to be met by each individual organization. These standards are common to defense to possible breaches of cybersecurity, which could destroy your business.
The CMMC serves as a way to verify and ensure that the correct levels of cybersecurity processes and procedures are being performed while maintaining basic cyber hygiene. Cyber hygiene is in reference to the basic measures taken to protect sensitive information. The CMMC also manages and protects controlled unclassified information (CUI). CUI is any data that the DoD creates, shares, receives or possesses, or that another entity may create or possess for or on behalf of the Government. This information is only handled based on a specific safeguarding law, directive, or DoD procedure or policy.
2. CMMC’s 17 Domains
CMMC is comprised of 17 different domains as follows:
- Access Control
- Asset Management
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Recovery
- Risk Management
- Security Assessment
- Situational Awareness
- System and Communications Protection
- System and Information Integrity
Download our CMMC Whitepaper: Best Cybersecurity Practices for DoD Contractors
These domains all play a vital role in initiating and maintaining cybersecurity for all businesses as well as the DoD.
3. Why is CMMC important?
If you don’t meet the CMMC specifications, you will no longer be able to compete for the DoD’s business, essentially putting you out of business. Your entire supply chain could be at risk if your suppliers are not compliant or fall victim to a cyber-attack. From here, we are looking at the possibility of a substantial profit loss, bad ratings and loss of any future business and even contract eligibility.
Getting on board and beginning to prepare yourself and your company to gain compliance (which can be time-consuming) is an imperative step that you need to be taking now.
4. There are Five Levels to CMMC
At Level 1, this is your basic cyber hygiene and these are things that you should already be doing, such as virus scans. At Level 1, your focus will be to create a foundation to build off of for the next levels. There are currently 17 controls that make up your CMMC Level 1.
There are 72 controls that comprise CMMC Level 2. Level 2 incorporates a more in-depth cyber hygiene regimen, generating a maturity-based development for your business. This hygiene makes it so that your organization has a better ability to both defend and withstand its assets against any cyber threats.
At CMMC Level 2, your business will need to find and begin documenting its basic operating procedures, strategies, and tactical plans to maintain cybersecurity. Level 2 requires that your business actually establishes and documents procedures and policies to lead the execution of any CMMC efforts. This documentation of procedures enables the business to do them in a repeatable way without fault. Documentation is a key part of Level 2, bridging Level 1 to Level 3.
At Level 3, businesses are expected to be able to reserve activities and review adherence to CMMC policy and procedures, demonstrating management of practice implementation of these policies. It should be noted that any business that requires access to CUI and may generate CUI will need to reach and achieve Level 3. There are 130 controls that comprise CMMC Level 3.
There are 156 controls that are involved in CMMC Level 4. Once you obtain Level 4, your business has a proactive cybersecurity program that thus far, meets all requirements. At this level, your business must be capable of reviewing and documenting actions for efficiency and must have the ability to inform management of any problems.
Level 4 ensures that your business must review and record any practices for efficiency and effectiveness. Organizations at Level 4 also have the ability to take counteractive action when necessary to fix anything and to let management know about the problem.
Level 5 has 171 controls and is a certification your business has developed a progressive cybersecurity platform and is able to augment and further optimize its cybersecurity abilities. Obtaining Level 5 means that the cybersecurity implementation procedure is being consistent throughout the entire organization.
5. Shoot for Level 3 at Minimum
When your business has access to any type of government data, you are most likely storing Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). If your business entity does in fact transmit CUI, reaching Level 3 certification is necessary. It should also be noted that if you have export-controlled data, it will be thought of as CUI and it will then be necessary to be at Level 3.
Meeting the CMMC requirements requires utilizing many solutions and resources. Management solutions, compliant platforms, encrypted assets and data back-ups will be working as a team to make sure that cybersecurity is met.
6. Gaining CMMC Takes Time
The road to CMMC compliance is a long one. If you are only just getting started with CMMC certification, it is said to expect the entire process to take about six to seven months. This is because writing out all policies, initiating solutions and starting out with the many changes around the business will all take time.
7. CMMC Compliance Expert
You should not overburden the IT guy with all of this. Hiring a compliance expert to assist with becoming CMMC compliant will save yourself from a lot of stress and confusion. This investment will make sure that your IT tech does not become tasked with more than he is able to handle.
A compliance expert can and will help to determine how advanced and sturdy your current security program is. They can look into how your organization currently identifies and controls complex and secretive government information. The compliance expert may also compare your business as a company against the standard and from there, begin to figure out where you are, as well as where you’ll need to be as a company to be able to meet the compliance requirements of the given DoD contract you’re attempting to obtain.
It should also be noted that when you are compromised, all of that long-sought-after compliance is not lost. It is very well known that when it comes to any type of privacy or security breach, it is simply not a matter of if it will ever take place, but when it does happen. For any business, contractors or subcontractors that achieved certification, when a security breach happens, the certification will not be lost. Though, contingent on the details of the compromise, that particular contractor may be required to go through recertification at some point, which would end up entailing extra costs incurred on the contractor’s behalf.
There is a Self-Assessment Handbook, provided by the National Institute of Standards and Technology (NIST) for your compliance expert to utilize. This will assist your business in preparing to gain compliance.
8. How Costly is CMMC Certification?
Cybersecurity Maturity Model Certification is not cheap. Companies and businesses that undoubtedly will wind up needing to make some changes to their cybersecurity practices due to CMMC will require the aid of consultants who are able to provide the necessary tools, software, and processes. The entire audit and CMMC certification process is expensive
The DoD and other federal and state agencies recognize and acknowledge that it is very expensive to set up security controls and to get started on CMMC certification. The DoD and federal and state agencies are said to be working to figure out a way to provide monetary aid for a few of the CMMC compliance and compliance costs and fees. They are keeping small and mid-sized DoD contractors in mind and are considering many different financial support plans.
9. CMMC is Taking Effect Quickly
Your business needs to recognize that the DoD is moving rather quickly to get started with CMMC. The current prediction for CMMC states that DoD contractors must be certified by the late months of 2020 for them to be able to bid on any contracts. No contracts mean no money and this means that you must get started right away.
To get started preparing, your organization needs to figure out where they are in regards to certain controls and which CMMC level they want to attain as quickly as possible. The CMMC requirements might cover controls from other frameworks. Be prepared to take on any delay and have enough time to cover those delays in the event that they end up taking longer than expected.
10. No More Self-Certifying
Gone are the days of self-certification. Previously, certain regulations allowed DoD contractors the option to self-certify. When they would find any security problems, they would be identified and then noted in a Plan of Actions and Milestones (POA&M). This gave the business the opportunity to provide services and a product without having to attain compliance and a bunch of security controls. No, with CMMC in place, this self-certification is gone forever.
It should be noted that POA&Ms are no longer acceptable, which forces all companies to address any weaknesses and fix them so that they can move forward and achieve compliance and certification. This means that a third party auditor (3PAO) is essential. This solves an issue that is present in which some businesses do a self-certification and they don’t even understand or put in place any needed security controls. In turn, this just does more damage than good.
Closing Thoughts
The Cybersecurity Maturity Model Certification is a solution that aims to enhance the cybersecurity of companies throughout the DIB in order to reinforce the protection of CUI residing on organization networks. Third-party auditors will check up on the CMMC and then will proceed to evaluate companies and will then determine which level each individual organization needs to be at for optimal security.
CMMC is making sure that each DoD contracted company takes the appropriate cybersecurity measures to ensure the safety of data and to prevent breaching. This is essential and gets everyone on the same page and on the path to better cybersecurity. Contact RSI Security today to get certified!