Getting Ready for New CMMC Requirements Now

CMMC: You Might Not Realize the Impact on Your Business

Cybersecurity Maturity Model Certification (CMMC)

The CMMC started within the Department of Defense (DoD) to reduce the theft of military intelligence, but as expected, it doesn’t look like it will be long before it spreads to other sectors. There’s interest in amending Sarbanes-Oxley to include CMMC, which will impact the financial sector.  Don’t fear this is just an additional burden – the CMMC model is set up to be clearer and easier to implement.  Standardization in security compliance is a win for businesses trying to juggle multiple requirements.

Impact of COVID-19

As you may know, the final guidelines were published in January 2020 and targeted the summer for enforcement.  We all wondered how the COVID-19 crisis would impact the rollout planned.  We learned this month that it will NOT slow down July 1, 2020 enforcement date.  The rollout is a “crawl-walk-run” plan and the audit process will utilize video conferencing and on-site surveys following any protective guidelines.  If you have a contract up for renewal in the coming year, you need to be prepared.

Your First Step is to understand CUI and how your business interacts with it

CUI (Controlled Unclassified Information) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.*

A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at https://www.archives.gov/cui 

If you DO NOT handle CUI under your DoD Contracts, any contract renewals will most likely require Level 1. All companies conducting business with the DoD will require some level of CMMC.

If you DO handle CUI under your DoD Contracts, any contract renewals will require at least Level 3.  Level 2 is only an interim step in your efforts to prove CMMC Level 3.

Your Second Step is to understand how prepared your business is to pass the certification

It is best to start with understanding your current state and how it compares to the desired level requirements.  Where you THINK you stand is often very different from where you actually stand.  One VERY IMPORTANT change in what you are used to – there are NO POA&M (Plan of Action and Milestones).  You must reach all requirements before you are considered certified.  There’s no “we are working on it”.

Next, you will most likely need assistance in preparing

Most companies benefit from partnering with a company well educated in cybersecurity and compliance. It seems every IT company says they do the same thing, whether they have 5 employees or 50.  Can that be true? No, but how can you tell?

It’s hard to understand the difference in the quality of staff, although experience and certifications can be a good indicator.  As for cybersecurity and compliance, measure your partners against this checklist.

Pre-Audit Partner Checklist

Experience in Risk Assessments mapped to compliance standards.

  • Utilize NIST 800-30 guide for conducting those Risk assessments.
  • Risk Assessment includes internal and external vulnerability scanning.
  • Knowledge of NIST 800-171 Requirements and CMMC compliance requirements.
  • IT Team experienced providing security solutions including SIEM, SOC, Security Awareness training.
  • Assessment that includes the examination of security controls including Administrative, Physical and Technical domains.
  • Deliverables should include a prioritized work plan of risks mapped to specific compliance requirements that detail remediation steps.
  • An organized platform for Risk Assessment reports and work plan management.

 

There’s a lot of information out there, just like this post. Be sure to go straight to the source, that is what we do. *This is a great FAQ about CMMC: https://www.acq.osd.mil/cmmc/faq.html

Katie Arrington, chief information security officer for acquisition with the D0D, is the architect behind the model.  Look for webinars featuring Katie.

As you may suspect, The AME Group security division provides a broad range of services including free consultations. Contact Us to engage our security team.