CMMC (Cybersecurity Maturity Model Certification)
CMMC (Cybersecurity Maturity Model Certification) is a unified standard of implementing cybersecurity across the DIB (Defense Industrial Base). It comprises more than 300,000 companies within the supply chain. The CMMC is the response of DoD to the massive compromises of sensitive defense information that is located in the information systems of the contractors.
The United States Department of Defense released the highly anticipated CMMC version 1.0 on 31st January 2020. The draft has a lot of input from the University Affiliated Research Centers, Funded Development and Research Centers, and industry. To make sure that you comply with these standards, you can contact Internal Auditing Pros for help.
In the past, it was the responsibility of contractors to implement, monitor, and certify the information technology system’s security plus any sensitive DoD information transmitted by or stored on the systems. It is still the responsibility of contractors to implement cybersecurity requirements but the paradigm is changed by CMMC by requiring third parties to assess the compliance with these mandatory practices, capabilities, and procedures that can adapt to evolving and new cyber threats from adversaries. Internal Auditing Pros come in handy at this point.
The Actions That DoD Contractors Should Take
DoD contractors should learn the technical requirements of CMMC with immediate effect and prepare for the certification and long-term cybersecurity agility. Details on how to conduct CMMC assessments and challenging those assessments are now available. DoD contractors can now evaluate their gaps, procedures, and practices and are well-positioned to navigate through the process and meet the mandatory contract requirements. You can keep up to date with the certifications at the CMMC FAQ section online.
The CMMC Framework
CMMC has established 5 certification levels which reflect on the reliability and maturity of the cybersecurity infrastructure of the company to safeguard the contractor’s information systems and sensitive government information. The levels are tied and they build upon the technical requirements of each other. Every level needs compliance with the requirements of the lower level and the initialization of additional processes for implementing the specific cybersecurity practices. Here is an overview of the practices and processes of every level;
Companies should perform ‘basic cyber hygiene’ practices like ensuring employees change their password regularly and use antivirus to protect FCI (Federal Contract Information). FDI is generated for or provided by the government under a contract to deliver or develop a service or product to the Government and isn’t intended for public release. It does not include certain transactional information or public information.
The company has to document specific ‘intermediate cyber hygiene’ practices to start protecting any CUI (Controlled Unclassified Information) through the implementation of some of the NIST (National Institute of Standards and Technology) security requirements for the US Department of Commerce. CUI is information that any government-wide policy, regulation, or law requires to have disseminating or safeguarding controls but excludes certain classified information.
Companies should have institutionalized management plans for implementing ‘good cyber hygiene’ practices for safeguarding CUI together with all the NIST 800-171 r2 security requirements together with additional standards.
The company should have implemented processes for measuring and reviewing the effectiveness of practices together with established additional enhanced practices to respond and detect to changing tactics, procedures, and techniques of APTs (advanced persistent threats). An APT is an adversary that possesses sophisticated levels of expertise and massive resources allowing it to create opportunities to use multiple attack vectors in achieving its objectives.
The company should have optimized and standardized processes in place across all the organization and the extra enhanced practices that promise you more sophisticated capabilities for detecting and responding to APTs.
Who Should Comply With CMMC?
All DoD contractors have to get the CMMC (Cybersecurity Maturity Model Certification). It encompasses all the suppliers at all tiers of the supply chain, foreign suppliers, commercial item contractors, and small businesses. CMMC Accreditation Body (CMMC – AB) coordinates with DoD directly to develop procedures of certifying independent 3rd party assessment agencies and assessors that evaluate the CMMC levels of the other companies. The best example of such a third-party certification organization in the United States is the Internal Auditing Pros.
When is CMMC Compliance a Requirement?
According to DoD predictions, CMMC compliance would begin including the requests for minimum certification for information i.e. RFIs by June 2020 and in the select request for the proposals (RFPs) in September 2020. The other thing DoD has indicated is that a prime-level certification requirement will not necessarily be the same certification level that is required throughout the entire supply chain for a specific contract. Differing levels of certification on one contract have the potential of raising complex challenges for implementation for subcontractors and primes alike.
The accreditors and accreditation procedures haven’t been established but the details are expected soon. Early preparations will lead to a more efficient assessment that brings forth positive and results. The contractors should start to take immediate steps to clearly document procedures and practices with the requirements that already comply with the processes and practices of CMMC. They should also implement and plan for further practices and procedures to obtain the highest possible certification levels.
Prime contractors should also start or continue to work with subcontractors through the whole supply chain in the development of compliance programs that were needed or reviewing the programs that are already in place.
Offerors should review the RFPS and RFIs closely which include the minimum certification requirements to make sure that the evaluated level isn’t unnecessarily burdensome. It should also provide clarity for the required certification level throughout the whole supply chain. Offerors should provide feedback to DoD during the stage of market research and also during the question and answer process of RFP.
The other thing is to follow the development of assessment challenges. All contractors are concerned with the form of due process that is available if an audit result or certification level is erroneous. The CMMC assessments have a significant impact on the ability of the contractor in meeting the minimum contract requirements and a low rating will limit the ability of the contractor to complete the work meaningfully. The right of appeal by the contractor is not established in the CMMC but DoD has indicated that it is coming. It is a very important development that will be followed.
The other important thing is to prepare to be agile. CMMC requirement is soon going to become a requirement before you are eligible for the award of DoD contracts. However, once the certification is complete, you should not view your cyber compliance as complete. According to DoD, CMMC is just the starting point for transforming the internal cybersecurity culture of the contractors. The contractor should foster a culture of flexibility and cyber resiliency within their enterprise. The best third-party service to help you with this compliance is Internal Auditing Pros.