The U.S. Department of Defense (DoD) is planning to implement a new cybersecurity compliance program called Cybersecurity Maturity Model Certification (CMMC). Under this new initiative, any company planning to do business with the DoD must first be evaluated by a 3rd party assessor and receive a CMMC rating. That rating must meet the requirements for the contract request for proposal. In my previous article, Cybersecurity Maturity Model Certification, we note the timeline for implementation of this new program is rather aggressive, perhaps in as little as one year from now. Since the CMMC rating will be prerequisite to even submitting a contract bid, how can small business proactively set conditions for their future success?
How to prepare for CMMC
It’s important to note that CMMC is not just a stack of paperwork. Rather, it is an affirmation that business processes include appropriate security controls that regulate processes, people, and technology to protect government and company information and systems. Obviously, this level of process control, like any other business workflow, doesn’t happen overnight or with a stroke of the pen. It requires planning, coordination, training, implementation and oversight. All those take time and, quite frankly, significant resources. So, it is important to start now to mature your CMMC program prior to 3rd party assessment in less than a year.
CMMC is tightly coupled with the requirements for protecting controlled unclassified information (CUI) and controlled defense information (CDI) per the guidelines in NIST SP 800-171 revision 1 and DFARS Clause 7012. These two references will likely not be the only guidance that informs CMMC. Since protection of CUI and CDI is the primary goal of the government’s logistics and supply chain security efforts, we expect that applying the standards of NIST SP 800-171 and DFARS Clause 7012 will meet the majority of CMMC requirements and ensure your cybersecurity program is implemented and maturing.
The United States Office of the Under Secretary of Defense for Acquisition & Sustainment has created a web site with information that will be updated as the program matures: https://www.acq.osd.mil/cmmc/index.html.
Assured Bridge is your Compliance Partner
The Assured Bridge Team is following these developments closely to ensure our secure environment services meet the CMMC requirements, while maintaining and improving compliance with the NIST SP 800-171 framework. We envision that adherence to NIST SP 800-171 and DFARS Clause 7012 standards will meet the vast majority of requirements for CMMC levels 1-3. We have begun designs for improvements to support those customers requiring compliance to levels 4-5 as well. We remain committed to providing secure and compliant operations environments and resource knowledge that our customers can depend on to protect their sensitive information and meet the U.S. government’s security objectives to protect our nation’s interests, information and intellectual property.
We know these changes are happening fast and some of the details and requirements can be confusing or contrary. Not all small businesses have the resources needed to stay abreast of these developments, not to mention implementing the necessary business process changes. We’re here to help. Feel free to contact us to help build your cybersecurity program and team. Our contact information is available at https://assuredbridge.com.