The theft of intellectual property and sensitive information across the Defense Industrial Base (DIB) and the supply chain of the Department of Defense (DoD) threatens economic and national security. To combat these threats the DoD has created the Cybersecurity Maturity Model Certification (CMMC) to ensure contractors are practicing and maintaining cybersecurity best practices.
What is CMMC?
The CMMC model is a set of mandatory cybersecurity requirements that all 300,000 plus DoD defense contractors must both implement and have that implementation validated by an independent third party before contract award. There are no exceptions or waivers; this applies to every DoD supplier.
How will CMMC Affect Your Organization?
CMMC will be mandatory for all DoD contractors (Primes and Subs). Self-attestation will no longer be acceptable with CMMC introducing the requirement for independent third party certification. Protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will become go-no-go contract award criteria.
Everything You Should Do to Effectively Prepare for CMMC
Getting ready for CMMC is a relatively straight forward process given that the DoD has made NIST 800-171 the foundation for certification.
To understand DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and NIST 800-171:
Steps you can take now to prepare for CMMC, keep reading.
to CMMC Preparation
CMMC incorporates all 110 security requirements of NIST 800-171, covering 85% of the CMMC Level 3 compliance requirements.
The CMMC covers five maturity levels, and without knowing what level your organization will be required to achieve, the first step is a practical, tailored assessment against NIST 800-171 and CMMC Maturity Level 3. This step enables you to meet current regulatory requirements and prepare for CMMC simultaneously.
Your SSP describes your environment and how you have implemented all of the required security requirements.
Nobody enjoys documentation, but it’s required, and if done correctly, your SSP will be transformational for your organization. Your SSP is not a template; it should become a precise representation of how your organization protects Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) as it flows through your systems.
Develop and implement plans of action designed to correct deﬁciencies and reduce or eliminate system vulnerabilities in preparation for CMMC.
Inevitably there will be requirements that you do not currently meet. Requirements not met should have been documented during your assessment, and a POAM “return to green” plan created to meet these requirements. Often, they serve the additional purpose of answering management questions around how much and how long to achieve compliance?
Execute POAM’s and achieve full compliance with NIST 800-171 to prepare for CMMC and become compliant with existing contracts.
Though the focus is on certification, implementation is the long pole in the tent to full compliance for any company. Implementation across the 17 domains of CMMC requires subject matter expertise and determining prioritization of resources based on the results of your assessment. Expect this to be the longest, most challenging part of your journey to compliance.
Document and implement a plan to leverage internal or external resources to maintain compliance and quickly achieve the required CMMC maturity level.
Compliance is not a one and done activity, and CMMC will require re-certification periodically. Managed services will enable you to maintain compliance over the long haul and avoid the atrophy that can lead to a failed audit.
The CyberSheath team has been working with the DoD since 2008 from the inception of voluntary cybersecurity requirements, which has led us to today’s mandatory CMMC requirements. Our employees come from the Defense Industrial Base and understand the practical limitations of control implementation in manufacturing, engineering, and other operational environments. Our time and your resources are best focused on “how” to implement compliance specific to your unique environments; most vendors never get past telling you “what” you need to do.