by Blake Cormier
Content Manager, E-N Computers
Updated September 1, 2023
In June 2019, the Department of Defense announced that it is introducing a new cybersecurity standard for contractors — the Cybersecurity Maturity Model Certification (CMMC). With cyberattacks and cyber-warfare in the news week after week, it’s no surprise that the Department of Defense is ready to take a harder line on enforcing cybersecurity standards for defense contractors handling sensitive information. The aim is to protect the supply chain and the Defense Industrial Base (DIB) from attack by foreign states or rogue actors.
If your business depends on defense contracts or subcontract work, then you’ll want to make sure that you understand the new regulations, and that you’re prepared when they take effect — which is expected sometime in 2025.
Cybersecurity requirements for contractors are already spelled out in the Defense Federal Acquisition Regulation Supplement (DFARS), in DFARS Clause 252.204-7012. This regulation requires that contractors handling unclassified but sensitive information follow the security controls outlined in NIST Special Publication 800-171. This includes things like authentication, access control, configuration management, and other basic cybersecurity requirements for systems that deal with controlled unclassified information (CUI).
Currently, contractors may self-certify that they are complying with DFARS 7012 — there are no third-party auditing requirements in place. However, as you can imagine, the vast majority of contractors fail to comply with the rule.
Therefore, the DoD announced the creation of the Cybersecurity Maturity Model Certification to address these gaps in compliance and enforcement of cybersecurity regulations.
If your business depends on defense contracts or subcontract work, then you’ll want to make sure that you understand the new regulations, and that you’re prepared when they take effect.
While not all of the details of CMMC have been made public yet, it is expected to be largely based on the same NIST SP 800-171 security controls in use today. In that case, contractors will be assigned a score from 1 to 5 in each of the 14 control “families” outlined in 800-171, based on how many of the controls in that family have been implemented.
Additionally, separate scores will be issued for “sophistication” and “institutionalization” of these security practices. This means that it’s not enough to just have secure policies in theory — your organization needs to actually follow them consistently in order to achieve a high CMMC score.
In the coming months, DoD will provide more information on the proposed rollout schedule for CMMC. However, it’s a good idea to start taking steps now to get ready for it since it can easily take a year to be CMMC assessment ready. CMMC 2.0 will likely be published late 2023 with a public comment period to follow. A phased rollout will likely begin in early 2025 with full implementation by 2028.
Each contract will specify what CMMC level is required for the contract. And it’s likely that these requirements will trickle down to subcontractors as well. So, the sooner you prepare for CMMC, and the higher the CMMC score you can achieve, the bigger the advantage you’ll have over the competition when the time comes. You can also consider whether the increased IT costs that come with CMMC are worth it.
But what steps can you take now to get ready for CMMC?
It’s widely expected that the CMMC standards will closely resemble NIST Special Publication 800-171 in scope. Therefore, making sure that your systems are already compliant with 800-171 will give you a big boost when it comes time for CMMC certification.
Within NIST SP 800-171, there are fourteen security requirement families, each dealing with a particular aspect of information security. Within these families, basic security requirements outline the overall goal of a particular control. For example, “Limit system access to authorized users.” The means to achieve those goals are listed as derived security requirements. For example, “Limit unsuccessful logon attempts”.
Appendix F contains a short discussion of each one of the security requirements, including the reasoning behind the requirement and perhaps an example of how to implement it.
Reading through and discussing each one of these requirements with your IT personnel and other stakeholders will be critical to successfully receiving a high CMMC score.
Once you understand the requirements in SP 800-171, it’s time to put into writing what compliance with those requirements will look like in your environment. This document is called a System Security Plan (SSP) — and having an SSP in place is actually a requirement of 800-171.
This means documenting your current systems, and what needs to be done to secure them in compliance with 800-171. Likely this will involve several key people within your organization, including senior management, IT, and human resources. The more people that understand the requirements, and give input on how to meet them, the easier it will be to get the SSP written and implemented.
Are there gaps between your current cybersecurity posture and what your SSP says it should be? Don’t feel like you need to fix everything overnight. The second document to write up is called a Plan of Action (POA). The POA describes how your organization plans to implement the security controls or mitigations that are required to meet your SSP. This should include milestones, or specific timeframes when you expect to be able to implement the security requirements.
Since both an SSP and POA are required according to NIST 800-171, expect that having them on hand and up-to-date will be a requirement of CMMC as well. Get a head start on CMMC by working on them now.
The following resources may help:
With all of the changes that CMMC will bring, it will pay to find a trusted partner to help guide you through the requirements. Many small businesses are turning to cloud providers — such as Microsoft 365 GCC High — for turnkey compliance with many of the NIST 800-171 controls.
Additionally, an IT Managed Service Provider (MSP) can provide you with on-demand cybersecurity expertise, guidance and auditing. Here at E-N Computers, we’re ready to help you with all of your cybersecurity needs. We have recently worked with several of our clients to prepare System Security Plans (SSPs) and Plans of Action (POAs) to get ready for CMMC’s implementation. Two of our veteran engineers are Registered Practitioners (RP) with The Cyber AB, which validates their expertise as CMMC consultants. ENC is also a Registered Practitioner Organization (RPO).
If you have questions or concerns about your readiness for CMMC, contact us today for a free consultation.