Last week, we discussed the upcoming changes to DFARS 252.204-7012 -- the Cybersecurity Model Maturity Certification (CMMC). The CMMC will involve serious changes in how defense contractors and subcontractors approach information security for their networks and computer systems.
Though the final CMMC requirements are still being developed, the DoD is working closely with both industry and academic experts -- like Johns Hopkins University Applied Physics Laboratory. So, we know that the final product will adhere closely to cybersecurity recommendations that have been in place for years. This means that you can get a head-start on your competition by working now to harden your systems and get ready for the CMMC certification process.
Understanding CMMC’s Cybersecurity Requirements
It’s widely expected that the CMMC standards will closely resemble NIST Special Publication 800-171 in scope. Therefore, making sure that your systems are already compliant with 800-171 will give you a big boost when it comes time for CMMC certification.
Within NIST SP 800-171, there are fourteen security requirement families, each dealing with a particular aspect of information security. Within these families, basic security requirements outline the overall goal of a particular control. For example, “Limit system access to authorized users.” The means to achieve those goals are listed as derived security requirements. For example, “Limit unsuccessful logon attempts”.
Appendix F contains a short discussion of each one of the security requirements, including the reasoning behind the requirement and perhaps an example of how to implement it.
Reading through and discussing each one of these requirements with your IT personnel and other stakeholders will be critical to successfully receiving a high CMMC score.
Create a System Security Plan
Once you understand the requirements in SP 800-171, it’s time to put into writing what compliance with those requirements will look like in your environment. This document is called a System Security Plan (SSP) -- and having an SSP in place is actually a requirement of 800-171.
This means documenting your current systems, and what needs to be done to secure them in compliance with 800-171. Likely this will involve several key people within your organization, including senior management, IT, and human resources. The more people that understand the requirements, and give input on how to meet them, the easier it will be to get the SSP written and implemented.
Create a Plan of Action
Are there gaps between your current cybersecurity posture and what your SSP says it should be? Don’t feel like you need to fix everything overnight. The second document to write up is called a Plan of Action (POA). The POA describes how your organization plans to implement the security controls or mitigations that are required to meet your SSP. This should include milestones, or specific timeframes when you expect to be able to implement the security requirements.
Since both an SSP and POA are required according to NIST 800-171, expect that having them on hand and up-to-date will be a requirement of CMMC as well. Get a head start on CMMC by working on them now.
Find a Partner
With all of the changes that CMMC will bring, it will pay to find a trusted partner to help guide you through the requirements. Many small businesses are turning to cloud providers -- such as Office 365 GCC High -- for turnkey compliance with many of the NIST 800-171 controls.
Additionally, an IT Managed Service Provider (MSP) can provide you with on-demand cybersecurity expertise, guidance and auditing. Here at E-N Computers, we’re ready to help you with all of your cybersecurity needs. In fact, members of our team recently met with faculty at Johns Hopkins University who are working on CMMC policy to find out how we can better help our customers to prepare for the changes. If you have questions or concerns about your readiness for CMMC, contact us today.