A Headstart to Cybersecurity Maturity Model Certification (CMMC)

A Headstart to Cybersecurity Maturity Model Certification (CMMC)

Cybersecurity Compliance

The U.S. Department of Defense (DoD) is planning to implement a new cybersecurity compliance program called Cybersecurity Maturity Model Certification (CMMC). Under this new initiative, any company planning to do business with the DoD must first be evaluated by a 3rd party assessor and receive a CMMC rating. That rating must meet the requirements for the contract request for proposal. In my previous article, Cybersecurity Maturity Model Certification, we note the timeline for implementation of this new program is rather aggressive, perhaps in as little as one year from now. Since the CMMC rating will be prerequisite to even submitting a contract bid, how can small business proactively set conditions for their future success?

How to prepare for CMMC

It’s important to note that CMMC is not just a stack of paperwork. Rather, it is an affirmation that business processes include appropriate security controls that regulate processes, people, and technology to protect government and company information and systems. Obviously, this level of process control, like any other business workflow, doesn’t happen overnight or with a stroke of the pen. It requires planning, coordination, training, implementation and oversight. All those take time and, quite frankly, significant resources. So, it is important to start now to mature your CMMC program prior to 3rd party assessment in less than a year.

CMMC is tightly coupled with the requirements for protecting controlled unclassified information (CUI) and controlled defense information (CDI) per the guidelines in NIST SP 800-171 revision 1 and DFARS Clause 7012. These two references will likely not be the only guidance that informs CMMC. Since protection of CUI and CDI is the primary goal of the government’s logistics and supply chain security efforts, we expect that applying the standards of NIST SP 800-171 and DFARS Clause 7012 will meet the majority of CMMC requirements and ensure your cybersecurity program is implemented and maturing.

The United States Office of the Under Secretary of Defense for Acquisition & Sustainment has created a web site with information that will be updated as the program matures: https://www.acq.osd.mil/cmmc/index.html.

Assured Bridge is your Compliance Partner

The Assured Bridge Team is following these developments closely to ensure our secure environment services meet the CMMC requirements, while maintaining and improving compliance with the NIST SP 800-171 framework. We envision that adherence to NIST SP 800-171 and DFARS Clause 7012 standards will meet the vast majority of requirements for CMMC levels 1-3. We have begun designs for improvements to support those customers requiring compliance to levels 4-5 as well. We remain committed to providing secure and compliant operations environments and resource knowledge that our customers can depend on to protect their sensitive information and meet the U.S. government’s security objectives to protect our nation’s interests, information and intellectual property.

We know these changes are happening fast and some of the details and requirements can be confusing or contrary. Not all small businesses have the resources needed to stay abreast of these developments, not to mention implementing the necessary business process changes. We’re here to help. Feel free to contact us to help build your cybersecurity program and team. Our contact information is available at https://assuredbridge.com.

Dan bjorklund - cyber security specialist

Daniel Bjorklund

PRINCIPAL

With over 30 years of experience, Daniel Bjorklund is a dedicated information security practitioner and innovator. He serves as a principal at Assured Bridge, helping to mature and guide compliance-as-a-service and managed security service provider operations. Dan is also Chief Technologist at Sabine Solutions – a defense contractor, and owns a small cybersecurity consulting firm: Community Cyber. He is active in the startup and entrepreneurial communities in the Augusta, GA area, helping set firm cybersecurity foundations for new companies and efforts.

Dan is a current CISSP and holds a Master of Science degree in Information Assurance and Security and a Bachelor of Science degree in Information Technology. When not hunched in front of a computer, Dan can often be found above 3000 feet avoiding highway traffic, flying his airplane as a licensed pilot. He and his wife enjoy outdoor activities, biking, fishing and sightseeing in the Southeastern United States.

Search our Blog
Categories
Subscribe to our Newsletter
We’ve got a lot of good info to share! Sign up for the Assured Bridge newsletter and receive tips on how to remain compliant with Federal CUI standards.