Ultimately, the Department of Defense (DoD) is in charge of safeguarding classified national security information. Alternatively, the DoD plays an important role in establishing policies and procedures that government contractors must abide by to keep unclassified controlled technical information safe.

In this article, we’ll go over some foundational knowledge before going deeper into who should be protecting controlled unclassified information and how to protect it.

What is controlled unclassified information?

Taking a step back, let’s establish what exactly controlled unclassified information is.

According to NIST, CUI is “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.”

Thankfully, we don’t have to interpret what that means for the CUI we might be handling. The DoD has an extensive list that can be downloaded as a reference. More simply, below are some of the most common items that can be considered CUI:

• Emails
• Electronic Files
• Blueprints or Drawings
• Sales Orders
• Contracts

CUI basic and CUI specified: what’s the difference?

When it comes to determining whether controlled unclassified information is CUI basic or CUI specified, it comes down to the way it’s handled. How data is handled is called dissemination controls.

Data labeled as CUI basic does not have specific dissemination instructions, whereas CUI specified has required dissemination instructions that must be documented and implemented.

Does CUI have to be protected?

Yes, protecting CUI is federally mandated under current NIST 800-171 and CMMC requirements. CUI usually contains sensitive information, so it must be protected to ensure federal agencies’ information is not compromised.

Why is it important to protect CUI?

The United States government is far from immune to cyberattacks. Since CUI is unclassified information, it has fewer controls to protect than classified data. Hackers can find ways to leverage CUI to breach more sensitive, classified information, which creates a huge risk to national security.

What are the consequences of not protecting CUI?

Failure to comply with NIST 800-171 and CMMC requirements or even misrepresenting your organization’s compliance status can result in large fines, loss of a government contract, or even litigation against your organization.

Recently, the Department of Justice rolled out a Civil Cyber Fraud Initiative that leverages the False Claims Act to enforce how companies adhere to and represent their compliance with protecting CUI.  

How can I protect my CUI documents?

To protect your organization’s CUI, you must put a Security System Plan (SSP) in place. An SSP consists of formal plans, procedures and physical security measures.

Of course, putting a plan in place is not sufficient; your company will need to carry out, monitor, and enforce these security plans. Providing training to employees about how to handle CUI correctly goes a long way in protecting controlled unclassified information.

So, who is responsible for protecting CUI?

Ultimately, you are responsible for protecting CUI. Federally mandated programs can provide the tools, guidelines and resources for your organization to follow. However, when CUI is in your or your company’s hands, it becomes your responsibility and liability.

SSE Can Help

It’s wise to conduct a third-party Gap Assessment to determine if you’re compliant or to identify any gaps in your security procedures.

SSE is accredited by the CYBER AB (formerly the CMMC-Accreditation Body) as a Registered Provider Organization (RPO) and are DoD contractors ourselves. We’ll guide you through the compliance process or consult you on your current security measures.

Schedule a complimentary CMMC Readiness Assessment today to get started!

We’re here to break down the requirements, recommendations and guidelines from the Cybersecurity Maturity Model Certification (CMMC), the Department of Defense (DoD) and NIST 800-171 to make crafting a secure password a little easier.

DoD Password Requirements

The DoD specifies password complexity and length standards as outlined in their Cybersecurity FAQ document.

Simply put, for systems without Multifactor Authentication (MFA), the Department of Defense requires:

• 15 characters minimum
• 1 of each of the following character sets: uppercase letters, lowercase letters, numeric, special characters [e.g., ~ ! @ # $ % ^ & * ( ) _ + = -‘ [ ] / ? > <]).
• Devices that cannot support the above requirements, like Windows 10 mobile devices or iOS 12, must meet a 6-character minimum and must not include two repeating sequential characters.

It’s important to highlight that although the DoD may not yet require multifactor authentication universally, having MFA in place is a requirement under CMMC and NIST 800-171. So what does that mean for minimum password complexity to satisfy CMMC and NIST 800-171 standards?

What are the requirements to meet the minimum password complexity requirements?

DoD requirements include a 15-character minimum with unique characters, which can result in lengthy, hard-to-remember passwords. However, NIST requires MFA, which allows users to create shorter, easier-to-remember passwords or passphrases.

Multifactor authenticators are our best tools against unauthorized access to CUI and protected networks in general. So implementing MFA will not only give you another level of protection, it could result in more memorable passwords for your organization.

Are password managers CMMC compliant?

The short answer is yes, but they must be FIPS-compliant.

However, let’s take a deeper look at CMMC IA.2.081 or control 3.5.10 in NIST 800-171. The control says, “Store and transmit only cryptographically-protected passwords,” which is open to interpretation. However, NIST and CMMC provide further context by highlighting that “all passwords must be cryptographically protected using a one-way function for storage and transmission.” This covers most password management tools.

One important nuance to note is that the password manager must be FIPS-compliant. The Federal Information Processing Standard (140-2) “specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments.” Most commercial password managers cannot guarantee FIPS-validated modules.

Feeling lost in navigating CMMC controls? SSE is your lighthouse.

Interpreting thick regulatory documents can make your head spin, especially when trying to verify that your organization meets all the requirements of your DoD contract. At SSE, we’re accredited by the CYBER AB (formerly the CMMC-Accreditation Body) as a Registered Provider Organization (RPO) and are DoD contractors. We know the ins and outs of CMMC compliance and can help your organization plan for and achieve compliance.

Contact us today to schedule an initial consultation with our team and a complimentary NIST 800-171 & CMMC Readiness Assessment.

Let’s dive into how the Civil Cyber Fraud Initiative, False Claims Act (FCA) and NIST 800-171 relate to one another and how your organization should approach ensuring your compliance with your government contracts.

What is the False Claims Act?

According to the DOJ, the False Claims Act is “the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations. The act includes a unique whistleblower provision, which allows private parties to assist the government in identifying and pursuing fraudulent conduct and partnering in the recovery and protection of whistleblowers who bring these violations and failures from retaliation.”

DOJ’s Civil Cyber-Fraud Initiative

Riding on the coattails of the False Claims Act, the Civil Cyber-Fraud Initiative is an important enforcement tool for civil fraud, as well as procurement and cybersecurity requirements defined in government contracts.

The Civil Cyber-Fraud Initiative leverages the False Claims Act in three ways to hold companies accountable who:

• Knowingly or unknowingly misrepresent cybersecurity practices of their organization
• Fail to follow required cybersecurity standards
• Knowingly fail to report cybersecurity incidents in a timely manner

*Key Takeaway – Abide by contractual standards or face significant penalties!

What is NIST 800-171?

NIST 800-171 (National Institute of Standards and Technology Special Publication 800-171) governs the use of contractors with access to Controlled Unclassified Information (CUI). It’s designed to protect the integrity of CUI and ensure that only vendors meeting a specific set of requirements for cybersecurity practices ever have access to it.

The DoD announced that government contractors would be required to submit a self-scored NIST 800-171 assessment as a result of the DFARS Interim Final Rule rollout in late 2020.

Adhering to required cybersecurity standards can make or break your business

Companies that fail to abide by the cybersecurity standards required by their contracts may face hefty penalties. Penalty fines, combined with the potential loss of government contracts, could create substantial risks to businesses’ revenue streams.

In the first settlement by the DOJ of a Civil Cyber-Fraud case under its Civil Cyber-Fraud initiative, a provider of global medical services will pay $930,000 to settle False Claims violations related to falsely representing compliance with contract requirements.

SSE Can Help You Prepare Your Business

With the complexities around NIST 800-171, the DFARS Interim Final Rule and Cybersecurity Maturity Model Certification (CMMC), SSE can serve as your expert in validating your NIST 800-171 Assessment and/or preparing your company with what is necessary to complete a self-assessment.

SSE has been accredited by the CMMC Accreditation Body as a Registered Provider Organization (RPO). Let us demonstrate how we can help.  Schedule your complimentary NIST 800-171 & CMMC Readiness Assessment to get started.

When your organization is working towards NIST 800-171 compliance, there may be unmet requirements. A POAM is necessary in order to plan for and complete the necessary remediation.

Read on to learn more about how POAMs fit into CMMC 2.0 and the steps required to develop a POAM.

POAMs and CMMC 2.0

Previously, under the initial CMMC framework, POAMs were not allowed. You either met all requirements or you didn’t. Under the updated CMMC 2.0, POAMs are permitted on a “limited use” basis.

The DoD anticipates a 180-day timeline to resolve a POAM. Additionally, out of the 110 controls of NIST 800-171 & CMMC Level 2, POAMs for the highest-weighted requirements are likely not permitted. This means that almost 40% of requirements in NIST 800-171 and CMMC Level 2 will not be allowed.

Developing A POAM

Usually, organizations will undergo an internal audit or external assessment, like SSE’s Gap Assessment, to identify and document gaps in their compliance.

A POAM will contain the following information:

• The area(s) of non-compliance with NIST 800-171
• The area(s) of the organization responsible for the system or network vulnerability
• The resources needed to solve the vulnerability
• Key project milestones with deadline dates
• The final date for becoming compliant
• The status of the improvement project

The final document will usually be generated in the form of a spreadsheet and should be continuously updated until it has been resolved.

Work With SSE

At SSE, we know these evolving requirements can feel overwhelming. As a Registered Provider Organization with the CMMC Accreditation Board, we are up to speed on the latest changes.  As a DoD Contractor ourselves, we have the vetted IT tools, policy templates and assessment services mapped to NIST 800-171 and CMMC requirements to assist businesses on the road to compliance. 

Let us demonstrate how we can help in preparing your business.  Schedule your complimentary CMMC Readiness Assessment with our team now!

Any organization that works with state and federal agencies must qualify for the Cybersecurity Maturity Model Certification (CMMC) framework. The certification demonstrates that a service provider can safeguard controlled unclassified information (CUI). Thus, businesses need the certification to work with agencies like the Department of Defense (DoD) and NASA.

DoD created CMMC to ensure that contractors adhere to strict data protection protocols. Introduced in September 2019, the certification and compliance process comes with five levels that determine the nature of compliance requirements placed on service providers. These levels stipulate the degree of protection required for various engagements.

Level one compels contractors to implement basic data protection measures for federal contract information. Stringent standards apply to engagements listed under level three. Thus, state and federal agencies certify service providers after passing the assessment. Individual assessors and a CMMC Third Party Assessment Organization (C3PAO) handle the assessments.

The Department of Defense has plans to achieve the comprehensive implementation of the certification program by 2026. However, an increasing number of state or federal contracts require certification.

For this reason, service providers need to implement the required cybersecurity controls to avoid disqualification from lucrative contracts. Some contractors fail to win contracts due to insufficient time to obtain the necessary certification.

Certification Process

The CMMC Acceleration Body indicates that an average-sized defense service provider requires between eight and 12 weeks to complete the level three certification process. Contractors undergo three phases to become certified CMMC contractors.

Phase One

This preparatory phase can last between four and six weeks as service providers update their cybersecurity controls before assessment. To achieve the required standards, contractors have to improve existing controls and introduce universal practices needed for certification. Enlisting the assistance of established IT consultants like SSE Inc. is an effective way to implement the changes.

Phase Two

An individual assessor or C3PAO examines the contractor’s data safeguards during phase two of the certification process. Depending on the size of the company, this process can take between 24 hours and three weeks. Contractors usually complete level one certifications in the shortest period. The complexity of an organization’s IT infrastructure also determines how long the process takes.

Phase Three

Assessors submit findings for quality checks during the third phase of the certification process. The CMMC Accreditation Body (AB) evaluates the assessor’s report to determine that the contractor qualifies for certification.

CMMC Security Requirements

The first level comes with basic cyber hygiene standards, such as strong passwords, firewalls, and antivirus software deployment.

Level two requires the implementation of more stringent data security measures, including access controls, configuration management, security audits, robust authentication systems, and physical security. Contractors also need to perform risk assessments, provide personnel security, and conduct incident response.

CMMC level three is an extension of the NIST 800-171 r2 standards. It requires the implementation of approximately 47 stringent security controls. Meanwhile, level four emphasizes a proactive approach when detecting, measuring, and deploying cyber defenses against various threats.

Some of the requirements share similarities with DFARs. Furthermore, CMMC level four requirements compel service providers to maintain high levels of vigilance to deal with advanced threats.

Level five incorporates 30 additional security requirements focusing on non-technical aspects, including management and auditing processes.

Preparing for CMMC

IT experts at SSE Inc. recommend taking several steps, including seeking a consultant’s advice, in preparation for CMMC assessments. The first steps entail identifying the CMMC level that applies to your company. If unsure of the correct level, consult an IT security expert. You need to identify the exact level before submitting an RFP application.

Hiring a managed IT service provider to conduct a comprehensive review of cybersecurity is a crucial step. The IT firm assesses your organization’s cybersecurity policies, practices, and network protections. You can proceed to implement a strategic security plan and update protections.

It is vital to exceed the expectations of assessors during the CMMC preparation process. Doing so ensures that your organization passes the certification tests in a short time. The failure to pass the accreditation assessments jeopardizes your chances of joining or remaining in the state or federal supply chain.

Unlike previous compliance requirements, the CMMC mandate compels all organizations involved in the supply chain to qualify for one of five levels. Getting certified opens the doors to lucrative contracts.

Why Choose SSE Inc.

SSE Inc. is one of the prominent IT companies in St Louis. The service provider helps enterprise clients manage IT infrastructure and bolster cybersecurity to ensure compliance with regulatory standards. It operates within the defense industry to assist contractors, and other businesses meet CMMC standards.

Working with the vendor enables contractors to identify the CMMC levels that apply to them and prepare for rigorous assessments.

SSE conducts reviews of cybersecurity policies and practices to help organizations determine their readiness for assessments by a CMMC Third Party Assessment Organization (C3PAO) or individual assessor. The firm can also assist contractors o meet NIST guidelines and regulations.

Training and Government Services

IT experts at SSE Inc. have many years of combined experience handling cybersecurity and other technology services. They can assist your team in formulating an effective strategy and implementing a cost-effective training program. As a result, it becomes easier to provide the ideal learning environment for your teams.

Gap Assessments

SSE helps organizations conduct rigorous gap assessments of unclassified internal networks to ensure they meet specific CMMC security requirements. The assessment enables the vendor to compile a report on remediation recommendations picked up during the process.

By conducting the analysis, SSE determines both the compliance posture and authorization boundary of the information system. In turn, your organization benefits from the feedback regarding your level of preparedness for meeting CMMC compliance requirements.

IT professionals present findings during documentation review and discussions. They also outline detailed recommendations to help your team remediate the findings.

Cybersecurity specialists at SSE can implement the required changes to your organization’s network system in tandem with the recommendations and overall strategy. Some changes include the replacement of servers or workstations, AD group policy exports, system configuration, and the creation of policy documents templates.

By achieving compliance, you could be ahead of your competition when bidding on contracts. Discover how in this recent article by SSE CEO Elizabeth Niedringhaus.

The Department of Defense (DoD) recently issued its much-anticipated Interim Final Rule, which came into effect on November 30, 2020. DoD contractors and subcontractors will be required to submit scored self-assessments against current NIST 800-171 requirements under the new rule. This process will also act as a bridge to CMMC compliance in the coming years.

Have you started working on compliance? Delaying could be a costly error; get ahead of your competition and achieve compliance to ensure your company is eligible for DoD contracts.

Expert Assistance With NIST 800-171 And CMMC For Small Businesses

The experienced team at SSE is available to help assess your current situation and provide a customized solution set for your company to meet NIST 800-171 controls and CMMC practices.  As both a DoD contractor and IT solutions provider, in 2017 we self-certified with third-party verification.  While new to our clients, CMMC isn’t new to us.

How can SSE help your business?

• Contact our team and schedule a Readiness Assessment
• Our team can assess your current environment to gauge your current state of compliance with both NIST 800-171 and CMMC
• Our team will create a plan to achieve both NIST 800-171 and CMMC compliance, and maintain an audit-ready state

Cybersecurity Maturity Model Certification (CMMC) sets new cybersecurity standards for companies that work with the Department of Defense. Are you aware of how these guidelines will impact your company? If not, now is the time to get to know how CMMC works and what you’ll need to do to meet its requirements.

Who Needs CMMC Certification?

Any company that works with the DoD needs CMMC certification to bid on upcoming contracts. Additionally, subcontractors that work for companies that provide goods and/or services to the DoD will need the appropriate level of certification to continue current business relationships.

What are the CMMC Levels?

CMMC has five tiered levels. The level of certification your business needs will depend on the type of contracts you intend to bid on now and in the future. Bear in mind your subcontractors don’t necessarily have to have the same level of certification that you have if they don’t handle as much information as you work with.

Level One

Any government contractor should already be Level One compliant as the requirements at this level as the same as existing FAR 52.204-21 requirements. Only basic cybersecurity practices such as maintaining anti-virus software, selecting strong passwords, and changing passwords regularly are required at this level.

Level Two

Level Two certification requires adherence to intermediate cybersecurity standards and is a must for any company working with controlled unclassified information (CUI). It’s a “transitionary level” of sorts for businesses that want to make it to Level Three but aren’t quite there yet.

Level Three

Any business that stores or processes CUI, holds Federal Contract Information, possesses government data or holds export-controlled data will need Level Three CMMC authentication. This is the CMMC level that most government contractors should aim for.

Level Four

Level four, like level two, is meant to be a transitionary stage between levels three and five. The requirements for this level are pretty challenging as you’ll need to take measures to not only protect yourself from run-of-the-mill cyberattacks but also advanced persistent threats. These threats include, but aren’t limited to, rogue nation-states and terrorist organizations. You’ll need proactive cybersecurity measures that keep your systems safe by aggressively identifying potential threats and eliminating them before a data breach occurs.

Level Five

Level Five is the highest CMMC certification level. Businesses at this level must have fully optimized processes in place along with cutting-edge cybersecurity tools to prevent even the most sophisticated hacking techniques.

How do I Get CMMC Certification?

In times past, a business was able to certify on its own that it was compliant with government cybersecurity requirements. That time is no more. Any business that wants any level of CMMC certification will need to be authenticated by a DoD-authorized third party. The number of auditors is limited so you’ll want to schedule an appointment in advance to ensure your paperwork is in order in time to bid on the contracts of your choice. However, you’ll need to take some important measures before you call in an independent auditor to assess your cybersecurity tools and procedures.

What is your current level of cybersecurity? It can be wise to start by examining employee behavior. Do your staff members change passwords regularly, use strong passwords at all times, and use two-factor authentication? Do employees know warning signs that indicate that pop-ups and emails contain malicious content? Cybersecurity training and testing for staff members can help your employees be aware of and adhere to your company’s cybersecurity guidelines at all times.

You’ll also need to examine your IT hardware and software. All software programs need to be updated regularly as patches and updates eliminate vulnerabilities that could be exploited by hackers to gain access to your systems. You should have a VPN to keep data encrypted as it transits to and from your servers. Any SaaS platforms you use should be NIST 800-171 or NIST 800-53 compliant. Large tech vendors such as Microsoft and Salesforce have government versions of their platforms that offer higher cybersecurity standards than their run-of-the-mill platforms. Cloud storage and back-up solutions should be fully secure at all times.

Professional Help with CMMC Compliance

Reaching and maintaining the high cybersecurity standards in place for CMMC certification is no easy task. That’s why it can be a wise idea to partner with an IT managed service that specializes in CMMC consulting services. SSE has more than thirty years of experience providing cutting-edge IT services to the business community and more than twelve years offering the specialized tech tools and services businesses need to stay in step with DoD cybersecurity requirements. Our CMMC services include gap assessments to help you identify vulnerabilities in your cybersecurity set-up, remediation to improve cybersecurity standards and policies, and compliance as a service to ensure your company can easily maintain high cybersecurity standards long-term. Get in touch with us at your convenience to learn more about our services or to schedule an appointment with one of our experienced consultants

Has your IT Company made you aware of the DOD’s new certification standard? If you are just learning about it, here’s what you need to know.

At the start of this year, the department of defense declared that contractors and other organizations in the defense industry now have to comply with a new security standard. The Cybersecurity Maturity Model Certification (CMMC) was rolled out in January 2020 as a means of ensuring businesses prioritize network security as much as safety and quality. Unlike previous regulations which also incorporated cybersecurity aspects, CMMC was explicitly designed to address IT security concerns.

What does this mean for your business? CMMC compliance will be crucial to securing business with the Pentagon going forward. This, therefore, means you need to learn all you can about it.

SSE Inc is a St. Louis-based tech company dedicated to helping businesses in the defense industry meet the required security guidelines and regulations. With decades of experience under our belt, we take it upon ourselves to equip business IT decision-makers with the information they need to remain compliant.

As part of our mission to accelerate business through reliable technology solutions, our IT experts came up with this blog article. We’ve painstakingly combed through the available documents and news releases and managed to condense them to 5 items you need to take note of as the model starts to come into play.

CMMC Applies to All Defense Contractors, Although the Rollout Will Be Gradual

Likely, the first question that pops up in your mind is whether you need CMMC in the first place. And if so, exactly when? It’s a good question but one that needs to be answered in parts, starting with the simplest. For starters, any ongoing businesses will not be affected by the new CMMC requirements. As such, the DOD will allow such work to be conducted as per the previously agreed-upon terms.

However, a minimum of fifteen contracts must include CMMC requirements by the end of this year. What’s more, this number is expected to grow quickly over the coming years. The DOD predicts there will be an estimated 479 contracts containing CMMC clauses and more than 48,000 certified contractors by 2025.

What do these figures mean for your business? Whether you are a DOD contractor or a subcontractor on a DOD project, expect these guidelines to apply to your business soon.

Assessments Will Be Conducted By C3PAOs Designated by The CMMC Accrediting Body

The defense department is still formulating the steps by which you can attain certification. Although it’s still a work in progress, there currently exists an accrediting body comprising 13 members from various backgrounds such as:

• The cybersecurity industry
• The defense industry
• The academic community

At the moment, the CMMC Accrediting Body is yet to designate any third-party accrediting organizations (C3PAOs). To avoid conflicting interests in how the C3PAOs themselves achieve certification, the Accrediting Body is still working out its roles and responsibilities.

Subsequently, C3PAOs have to be chosen and trained to offer certifications to the organizations that need them. If an organization would like to be a CMMC assessor, they need to get in touch with their local Procurement Technical Assistance Centers (PTACs) for consideration for training.

Furthermore, the PTACs will play a crucial role in connecting certified C3PAOs to contractors after the training has been completed.

Your Organization Will Be Responsible for Achieving Certification Through a Designated Assessor

If you’d like to continue working on defense contracts, the burden of ensuring your business meets CMMC requirements rests on your shoulders. To attain certification, you will need to contact and hire a qualified C3PAO. They will proceed to assess your security practices against the required certification levels before issuing the all-important green light. The same goes for subcontractors looking to work on DOD projects with primary contractors. The only difference being that they won’t be required to achieve the same certification standard.

To illustrate the point, let’s take an example. Say, to bid on a project, a primary contractor needs Level 3 certification. However, if a portion of the same project only requires Level 1 CMMC, a subcontractor with that level of qualification could tackle that particular aspect.

This is meant to minimize disruptions to defense projects by ensuring the CMMC roll out is as smooth as can be.

Level 1 CMMC Follows the Basic Cybersecurity Practices You Should Be Following Already

Any change in our personal or business lives can seem daunting at first. However, if you’ve worked with the DOD previously, you should be familiar with many of the CMMC requirements. Although the defense department now prioritizes certification, a lot of the Level 1 certification requirements are similar to FAR Basic Safeguarding Requirements.

Because your organization is probably observing these practices already, it should be relatively easy to attain Level 1 certification.

These are the basic cybersecurity best practices, including:

1. Running frequent software updates
2. Installing antivirus software on computers
3. Following robust password protocols

Many CMMC and NIST 800-171 Requirements Are Very Similar

If you are keen on attaining higher certification standards for your business, you can look, once more, to your current security protocols for guidance. However, this only applies to Levels 1 through 3. If your organization needs Level 4 or 5 CMMC, you’ll be expected to present evidence of stringent and comprehensive protocols. On the upside, this standard of certification will not apply the majority of DOD contracts.

Are You Looking to Leverage Expert CMMC Consulting?

SSE Inc provides cybersecurity, compliance, and technology services for organizations across the United States. Our experienced team of IT experts is eager to help your business remain compliant with all the requirements of CMMC and any other necessary regulations. Contact us to get started right away.

Regardless of whether your organization does direct business with the federal government or benefits from lucrative supply chain contracts, the CMMC will have an impact on your bottom line going forward.

The CMMC, short for Cybersecurity Maturity Model Certification, went into full force and effect as of June 1, 2020. Anyone operating directly or indirectly with the U.S. Department of Defense (DoD), NASA, or General Service Administration, who houses what is known as “controlled unclassified information” (CUI) must now secure this data with heightened protections. If you are unsure about whether this includes your outfit or what types of cybersecurity measures are required, this CMMC overview answers a wide range of compliance questions.

Why CMMC Regulations & Compliance Matters?

The federal government rolled out the CMMC in an effort to provide a unified cybersecurity standard across the defense industrial base. This sector includes upwards of 300,000 companies in a wide-sweeping supply chain. Officials at the DoD spearheaded the phased CMMC release beginning on January 31, 2020.

Before this rollout, defense contractors and supply chain outfits largely conducted their own compliance oversight using a variety of standards. Confusion about which guidelines to follow and failures to self-comply were resolved after the fact. Penalties and suspension of government contracts were an exercise in futility given that hackers may have already stolen valuable data.

According to Under Secretary of Defense for Acquisition and Sustainment Ellen M. Lord, cyber-theft costs the U.S. approximately $600 billion in losses each year. The DoD official indicates that hackers and rival nation-states place a high priority on stealing CUI from vulnerable supply chain companies.

“Adversaries know that in today’s great-power competition environment, information and technology are both key cornerstones. Attacking a sub-tier supplier is far more appealing than a prime (supplier),” Lord reportedly said. “CMMC is a critical element of DOD’s overall cybersecurity implementation.”

Peripheral companies may not realize that the seeming scraps of CUI they house on standard devices can be pieced together and weaponized by rogue nations such as Iran, China, and Russia, among others. The recently-minted CMMC compliance regulations call for certification before bidding on lucrative government work.

Does CMMC Replace Previous Guidelines?

Perhaps the most confusing aspect of the CMMC rollout is that it does not exactly replace other directives. Instead, it brings many of the top-tier cybersecurity policies together under one roof.

For example, organizations in the federal government supply chain may already be familiar with standards such as NIST and DFARS. These were created to help secure vital information leveraged by contractors. Although these were determined efforts, neither delivered the hardened defenses necessary to keep digital assets out of the hands of bad actors. And indecision about which to follow added avoidable confusion.

The recently implemented CMMC gives everyone in the supply chain a single model to follow. It also eliminates potential vulnerabilities caused by subpar defenses or failure to meet the guidelines. The good news for industry leaders that took proactive measures is that previously adhering to the following standards may have you in compliance or close to the CMMC threshold.

• NIST 800-171
• NIST 800-53
• ISO 27001
• ISO 27032
• AIA NAS9933

If you exercised due diligence when working with CUI in the past, an audit of your security measures can determine whether you are aligned with one of the five CMMC levels.

What You Need To Know About 5 CMMC Cyber Hygiene Levels

It’s essential for supply chain companies to understand that your compliance level will be roughly equal to the sensitivity of the data you store or access. Corporations working directly on military or scientific projects can expect to meet the heightened measures outlined in Level 5. Those at the low-end of the data food chain may only require minimal cybersecurity upgrades. Consider this general overview and how it relates to your current cyber-hygiene.

Level 1

The first tier of the CMMC involves what many consider “basic hygiene.” Expectations include employing up-to-date antivirus software, firewalls, and having employees and those with access to your network routinely changing robust passwords.

Level 2

Widely consider “intermediate cyber hygiene,” supply chain organizations are expected to implement standards found in NIST, among others. Companies are tasked with establishing and documenting cybersecurity controls so that key stakeholders can implement and repeat them. The critical point is consistently securing CUI.

Level 3

Industry professionals generally consider this level of compliance “good cyber hygiene.” Companies are expected to adhere to upwards of 47 cybersecurity controls to earn certification. Organizations must also craft a determined plan that demonstrates those with access to data follow protocols. A company’s plan may include best practices, training, mission statement, and outlines stakeholders.

Level 4

Commonly called “proactive cyber hygiene,” outfits are expected to have the ability to detect and defend against emerging threats. Contractors who met the DFARS criteria may find the Level 4 standards familiar. One of the terms used to highlight compliance is “advanced persistent threats” or APTs. In essence, contractors must have the defense capabilities to deter sophisticated bad actors.

Level 5

Meeting this heightened standard involves implementing as many as 30 additional controls. Companies must create standardized protocols that maximize “advanced cyber hygiene,” delivering sophisticated detection and response capabilities to defend against APTs.

The federal government’s decision to streamline and enhance protections under one CMMC roof hardens the nation’s defenses against international threats. But as a supply chain company decision-maker, that doesn’t make the details any less confusing. Going forward, your company will not only need to meet its required hygiene Level, but you will also need certification.

Get A CMMC Compliance Assessment

The DoD and other agencies required minimum certifications for requests for information as of June 2020. Request for proposals compliance went into effect as of September 2020. Rather than miss an opportunity to participate in profitable government contracts, it’s imperative to have a cybersecurity professional analyze your system. By having your cybersecurity defenses assessed and hardened to meet your CMMC compliance level, you can participate in profit-driving contracts going forward.