CMMC was launched by the Department of Defense (DoD) to bolster cybersecurity controls and process by enhancing security visibility and accountability for defense contractors. If your company has a DoD contract, then CMMC applies to you.
Building upon the Defense Federal Acquisition Regulation Supplement (DFARS) and the National Institute of Standards and Technology (NIST), CMMC requires every contractor to be audited and certified by a 3rd party auditor. In early 2021, the DoD began adding CMMC requirements to all new DoD RFPs, and therefore this certification will eventually determine whether you will be able to bid on a DoD contract.
CMMC creates a new baseline that seeks to ensure all contractors make meaningful investments in cybersecurity. As cyberattacks and breaches continue to grow in both the private and government sectors, CMMC requirements will benefit all stakeholders, including your business.
CMMC requires DoD contractors to achieve a designated cybersecurity level in order to qualify for contract awards. These standards are also designed to protect the networks of government contractors for the sector's own benefit. It’s a win-win scenario.
The certification also helps contractors with their preparedness for cyberattacks, and with incident prevention. Even if an attack occurs, CMMC enables a faster recovery, which would reduce associated penalties or financial implications.
The new model regulates five cybersecurity maturity levels of controls and processes that align with relevant policies. For example, Level 1 adopts the FAR 52.204-21 requirements, which all federal contractors must meet. Level 1 has 17 controls, all of which are basic cybersecurity measures that provide the minimum security any contractor should have already implemented.
Now, CMMC compliance can feel overwhelming with these different levels, controls and changes. But you're likely more compliant than you think. In fact, many small- and medium-sized DoD contractors already possess CMMC Level 2 or 3 compliance, while large contractors are likely going to meet tiers 4 or 5 with ease.
Here is what we can help you do to become CMMC compliant in preparation for an upcoming audit:
CUI questions to determine your security level
Most subcontractors won’t need the same security level as primes, but all DoD contractors will need to be CMMC security Level 1 compliant. If you manage controlled unclassified information(CUI) in any way, you have to meet at least CMMC security Level 3.
CUI mostly includes personal identifying information, specs of military equipment, sensitive information about military schedules and personnel, and confidential configuration documentation for government networks.
Perform a risk assessment
Our NIST 800-171 certified cybersecurity consultant will perform a risk assessment. This assessment will review your progress toward compliance with the NIST 800-171 controls and uncover the areas that are deficient. Our consultants will also conduct vulnerability scanning and penetration testing and will report their findings.
The rule of thumb is this: If you get certified for NIST 800-171 compliance, you are pretty close to CMMC levels 1-3 certification.
Write a systems security plan
This step involves providing details regarding your security status quo and any policies that are in place that guide your cybersecurity using a NIST template. In the case that any deficiency is uncovered, we’ll put together a POA&M (plan of action & milestones) as a part of the solution.
Prepare for incident management
We can help you make and keep a high-quality incident management plan and drill on it regularly. In case a security incident does occur, you are also expected to file a report to the DoD within 72 hours.
Follow up and continually improve
We’ll help ensure that your policies are achievable and measurable. If you state that you will keep all systems fully scanned and patched at all times, then you must do so. If you fail to patch a system and, in that time, a security incident occurs, it will count doubly against your firm for both the general failure and the violation of your policy.
In a nutshell, CMMC embraces a new collaborative risk management approach that will help all DoD contractors and clients alike to better manage cybersecurity risk.
With CMMC compliance requirements in effect, it’s important for contractors to assess their current CMMC readiness. With DynaSis' CMMC compliance consulting services, we can help prepare you for the incoming CMMC audits. Contact us today to get started.