
Five Best Practices for an Incident Response Plan
Use these five best practices to create or update an IT security incident response plan.
If your organization does contract work for the US Department of Defense (DoD) ─ or is hoping to do so, there’s a good chance you’ve been reading a lot about the Cybersecurity Maturity Model Certification (CMMC). If you haven’t, now is the time to get up to speed with what CMMC is and what it means for your company.
The Department of Defense (DoD) continues to evolve and implement increasingly robust security measures to make it difficult for threat actors to penetrate the DoD’s networks. Many of the government’s service providers, however, have fewer protections in place, making them prime targets for cyberattacks ─ and putting the government’s controlled unclassified information (CUI) at risk.
CUI UI is information created or owned by the government that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. It’s often shared with DoD contractors and subcontractors – and not just those that provide IT services -- in order for them to do their work with the government, but is still subject to the same rules and regulations.
In 1996, the federal government implemented contractual mandates requiring that its service providers protect controlled unclassified information (CUI). Nonetheless, data breaches involving service providers are on the rise. Part of the problem stems from the standards being seen as optional. Many service providers don’t implement them, much less make overall security a priority.
The CMMC program was developed by the DoD to enhance cyber protection standards for companies in the Defense Industrial Base (DIB). The program incorporates a set of cybersecurity requirements into acquisition programs, and companies that that supply the DoD will need to adhere to these requirements in order to bid on DoD contracts.
Version 1.0 became a requirement for participation in some DoD requests for information (RFIs) and requests for proposals (RFPs) in 2020. By the fiscal year 2026, it’s expected to expand to include DoD procurement.
In November 2021, the DoD announced a few changes to the program, which is now known as CMMC 2.0. The timing of the program’s implementation and many of the details are still being worked out, and CMMC 2.0 won’t be a contractual requirement until the rulemaking process is completed. It’s expected to take 9-24 months.
Under the existing 48 CFR 52.204-21 and NIST SP 800-171 requirements, federal and DOD contractors were required to implement security protections for CUI and allowed to self-assess those implementations. Companies could undergo an internal audit process and then submit documentation that they met the requirements. There were no checks and balances of the self-assessment.
With CMMC 2.0, all defense contractors and subcontractors will be required to be CMMC certified and accredited by a third-party auditor for all defense contracts. There are five certification levels, which are based on the sensitivity and volume of CUI they can access. Each level up indicates a higher degree of protection for sensitive information.
You can learn more about the changes between CMMC 1.0 and 2.0 here.
CMMC 2.0 may not be a requirement now, but it will be soon. If your organization is interested in being considered for DoD contracts, it’s in its best interest to make sure it can meet the CMMC 2.0 requirements.
Perhaps even more important is the fact that cyber attackers and threat actors aren’t waiting until CMMC 2.0 is in place. Any organization that has information they think they can profit from or that they can use to wreak havoc or do damage is fair game. Enhancing IT security and cybersecurity can help protect your organization – and mitigate damage should an attack occur.
Here are some things your organization can do.
To learn more about how to you enhance the security of your organization’s IT systems – and prepare for meeting CMMC 2.0 and other requirements, contact US Signal. We have extensive experience in helping customers meet a variety of regulatory requirements and industry standards, and we’re staying on top of what’s going on with CMMC 2.0. Call (866) 274-4625 or email [email protected].
Use these five best practices to create or update an IT security incident response plan.
Learn how to expand from on-prem network security to cloud security with these best practices and resources.
Safer Internet Day offers a reminder of steps your organization can take to enhance its IT security and combat DDoS attacks and other forms of cybercrime.