CMMC Orientation & Training II
Confident and timely CMMC compliance comes down to whether or not you have an informed strategy. Do you know the ins and outs of CMMC compliance? Our second webinar offers a lot of key information for defense contractors like yours.
In October 2020, the DoD released their Interim Final Rule, which set a deadline for NIST compliance and a timeline for CMMC compliance. These new compliance standards not only put DoD contractors on the clock, but also presented them with far more rigorous expectations than they’ve been subject to before.
Do you know what CMMC is, and what it means for you?
If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. Anyone operating in the DOD supply chain must become certified to showcase that they’re able to protect controlled unclassified information (CUI).
For an overview, check out our second orientation webinar, led by Mike Shelah and Russell Smith from Advantage Industries:
What Is CMMC?
CMMC is the DOD’s way of certifying its contractors’ abilities to protect the Federal Contract Information (FCI) and CUI shared within the supply chain.
This builds upon the requirements set out by Defense Federal Acquisition Regulation Supplement (DFARS), Code Of Federal Regulations (CFR) and National Institute of Standards and Technology (NIST) guidelines (namely, 800-171 of the latter).
The DOD relies on external contractors and suppliers like you to carry out a wide range of tasks. Sensitive data that is shared with you must be protected. The fact is that inadequate safeguards for this sensitive data may threaten America’s National Security and put our military members at risk.
The DOD has implemented a basic set of cybersecurity controls through DOD policies and DFARS. These rules and clauses apply to the safeguarding of contractor/supplier information systems that process, store or transmit CUI. These security controls must be implemented at both the contractor and subcontractor levels based on information security guidance developed by the National Institute of Standards and NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations”.
As a U.S. DOD contractor who collects, stores, or transmits Covered Defense Information (CDI) or CUI you must comply with NIST regulation 800-171 and DFARS 252.204-7012. Your subcontractors must comply as well and be able to maintain compliance.
If you don’t, you can’t bid on DOD contracts, and you may lose the ones you have. CMMC is the DOD’s way of giving contractors like you a method for verifying that the appropriate measures have been put in place.
How Is CMMC Different From NIST?
The main difference is that while NIST SP 800-171 originally allowed you to self-assess and certify, CMMC is a requirement. You will need to get certified by an approved third party. A number of the terms in use are also different, such as “families” for NIST and “domains” for CMMC.
Many of the controls found in CMMC are the same as NIST 800-171, however, CMMC brings together various compliance processes into one unified framework. You will find aspects of the following in CMMC:
- NIST 800-171
- NIST 800-53
- ISO 27001
- ISO 27032
- AIA NAS9933
Contractors will likely have to implement some new controls that they don’t already have in place. Not every contractor needs to attain the highest level of the five covered in CMMC. While some do, others may only need to attain level one or two certifications.
What Cybersecurity Requirement Levels Are Included In CMMC?
CMMC introduces 5 levels of security requirements:
- Level 1: The first level requires basic cybersecurity practices, including anti-virus software, strong passwords, and overall, fairly standard measures.
- Level 2: The second level is designed to protect controlled unclassified information, and as such, requires more complex measures:
- Access controls
- Awareness and training
- Identification and authentication
- Configuration management
- Audit and accountability
- Incident response
- Media protection
- Physical protection
- Personnel security
- Security assessment
- Risk assessment
- Systems and communications protections
- Systems and information integrity
- Level 3: The third level is based on an extension of the NIST 800-171 r2 standards. There are 47 security controls that must be in place to comply with this level.
- Level 4: The fourth level requires contractors to be proactive when it comes to measuring, detecting, and defending against threats. Some requirements are similar to DFARS while requiring contractors to be prepared to handle advanced persistent threats.
- Level 5: The fifth and final level includes 30 extra security controls above and beyond level four that must be put in place. They revolve around auditing and management processes as opposed to technical requirements.
What Happens If You’re Not Compliant?
The penalty for CMMC compliance is simple — if you’re not compliant, you can’t be awarded defense contracts. There are no fines or conventional penalties. You’re just unable to operate in the DoD contracting space any longer.
While complying with these new requirements will undoubtedly require a further investment of time and money beyond your standard compliance efforts, it’s important to note the silver lining — compliance will likely reduce your competition.
As it becomes more difficult to operate in the defense sector, smaller competitors will likely drop out. Becoming compliant with CMMC will require more resources, and not all current contractors will see the benefit of investing further, especially if they don’t have the capital to do so.
That makes the market less competitive for contractors that do make the effort to become compliant. And that’s not the only benefit — these new requirements aren’t arbitrary. Implementing them will have additional benefits as well, making your company more secure and of greater value to your clients.
What Can You Do Right Now To Start On Your CMMC Compliance?
Level 1 (Basic Safeguarding Of FCI)
Only Performed Maturity Process is required (that is, no documentation).
- Safeguards in the FAR 52.204-21:
- Limit Access to Authorized Users
- Limit Access to types of Transactions and functions that authorized users are permitted to execute
- Control and Limit access to external systems information posted (or processed on public systems
- Limit physical access to systems to authorized individuals
- Escort visitors and monitor the activity including audit log of physical access
- Malicious code protection mechanisms (AV, Anti-Malware, OSINT)
- Perform periodic scans
CMMC Level 2 (Transition Step To Protect CUI)
Documentation is required at this Maturity Level.
- 55 additional controls (with 72 total):
- Regularly perform and test backups
- Monitor remote access sessions
- Maintain system audit logs
- Security Roles and Responsibility training
- Control and monitor user-installed software
- Establish an Incident Response program
- Vulnerability Scans and Remediation in accordance with risk assessments
- Develop and maintain a System Security Plan (SSP)
- Develop and implement a Plan of Action to reduce system security deficiencies
CMMC Level 3 (Protecting CUI)
The Maturity: Managed level = Documentation
- 58 additional controls(130 total):
- Continuous Monitoring and Logging
- Security Awareness Training
- MFA for remote access
- Incident Response Plan
- Configuration Management Plan
Need Expert Assistance Implementing CMMC & NIST Compliance?
Looking for expert assistance with your CMMC compliance planning?
Advantage Industries is now a Registered Provider Organization (RPO), and two of our staff members, Kevin Dubois and Matt McGinty, are now fully certified CMMC Registered Practitioners (RP).
Let’s get started on your compliance processes right away.
If you do, you’ll receive a FREE Dark Web scan, and furthermore, 4 out of 5 businesses that Schedule a meeting with us can also qualify for a FREE network security scan. This scan will give you valuable information on the state of your network and the scale of remediation you can expect.
Put simply, this is the best way to start your CMMC compliance process with fully certified and expert assistance.
Advantage Industries is a Managed Security Service Provider (MSSP) providing practical networking and software solutions, as well as web site and application creation services. For nearly two decades, Advantage has worked collaboratively with hundreds of clients in understanding complex business processes, identifying needs, and providing recommendations tied with sound technology solutions custom-tailored to their business.