What You Need to Know and Do about CMMC
If your organization does contract work for the US Department of Defense (DoD) ─ or is hoping to do so, there’s a good chance you’ve been reading a lot about the Cybersecurity Maturity Model Certification (CMMC). If you haven’t, now is the time to get up to speed with what CMMC is and what it means for your company.
The Department of Defense (DoD) continues to evolve and implement increasingly robust security measures to make it difficult for threat actors to penetrate the DoD’s networks. Many of the government’s service providers, however, have fewer protections in place, making them prime targets for cyberattacks ─ and putting the government’s controlled unclassified information (CUI) at risk.
CUI UI is information created or owned by the government that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. It’s often shared with DoD contractors and subcontractors – and not just those that provide IT services -- in order for them to do their work with the government, but is still subject to the same rules and regulations.
In 1996, the federal government implemented contractual mandates requiring that its service providers protect controlled unclassified information (CUI). Nonetheless, data breaches involving service providers are on the rise. Part of the problem stems from the standards being seen as optional. Many service providers don’t implement them, much less make overall security a priority.
The CMMC Program
The CMMC program was developed by the DoD to enhance cyber protection standards for companies in the Defense Industrial Base (DIB). The program incorporates a set of cybersecurity requirements into acquisition programs, and companies that that supply the DoD will need to adhere to these requirements in order to bid on DoD contracts.
Version 1.0 became a requirement for participation in some DoD requests for information (RFIs) and requests for proposals (RFPs) in 2020. By the fiscal year 2026, it’s expected to expand to include DoD procurement.
In November 2021, the DoD announced a few changes to the program, which is now known as CMMC 2.0. The timing of the program’s implementation and many of the details are still being worked out, and CMMC 2.0 won’t be a contractual requirement until the rulemaking process is completed. It’s expected to take 9-24 months.
The Big Changes
Under the existing 48 CFR 52.204-21 and NIST SP 800-171 requirements, federal and DOD contractors were required to implement security protections for CUI and allowed to self-assess those implementations. Companies could undergo an internal audit process and then submit documentation that they met the requirements. There were no checks and balances of the self-assessment.
With CMMC 2.0, all defense contractors and subcontractors will be required to be CMMC certified and accredited by a third-party auditor for all defense contracts. There are five certification levels, which are based on the sensitivity and volume of CUI they can access. Each level up indicates a higher degree of protection for sensitive information.
You can learn more about the changes between CMMC 1.0 and 2.0 here.
Start Preparing Now
CMMC 2.0 may not be a requirement now, but it will be soon. If your organization is interested in being considered for DoD contracts, it’s in its best interest to make sure it can meet the CMMC 2.0 requirements.
Perhaps even more important is the fact that cyber attackers and threat actors aren’t waiting until CMMC 2.0 is in place. Any organization that has information they think they can profit from or that they can use to wreak havoc or do damage is fair game. Enhancing IT security and cybersecurity can help protect your organization – and mitigate damage should an attack occur.
Here are some things your organization can do.
- Become familiar with the CMMC standard on the Office of the Under Secretary of Defense for Acquisition and Sustainment, Cybersecurity Maturity Model Certification website.
- Try to identify what levels your company wants to be able to achieve based on the types of acquisitions you are tracking right now.
- Start preparing your artifacts. Have as much information ready to go to facilitate and reduce the number of hours and resources needed, which could potentially keep accrediting costs down.
- Review your current IT security and cybersecurity processes and protocols. Compare them to industry best practices. Consider working with an IT service provider like US Signal to conduct an IT security assessment to identify gaps and potential solutions for your security plan.
- If your company isn’t already following critical IT security best practices, get started on them now. That includes:
- Limiting information systems access to authorized users and the specific actions needed to perform their jobs
- Using multi-factor authentication tools to verify the identities of users, processes, and devices Educating employees, vendors, and other third-party companies your organization works with on cyber threats and the importance of setting strong passwords, recognizing malicious links, and installing the latest security patches.
- Maintaining audit logs, and managing physical devices like USB keys
- Implementing comprehensive vulnerability management with frequent system scanning (inside and outside the network) and a plan for remedying issues
- Patch management
- Ensuring you have a tested disaster recovery plan in place
- Implementing a multi-layered data protection strategy that covers all IT systems, including endpoints
- Implementing a thorough data management plan that enables you to locate all your organization’s data, no matter where it resides, identify and classify it so you know what you have (and if it requires specific protection to meet various requirements), encrypt it as necessary, and move it to appropriate storage to meet data privacy and access requirements.
Take the Next Steps
To learn more about how to you enhance the security of your organization’s IT systems – and prepare for meeting CMMC 2.0 and other requirements, contact US Signal. We have extensive experience in helping customers meet a variety of regulatory requirements and industry standards, and we’re staying on top of what’s going on with CMMC 2.0. Call (866) 274-4625 or email [email protected].