Posted on

Cybersecurity Maturity Model Certification

Cybersecurity Maturity Model Certification

The U.S. Department of Defense continues it’s push to strengthen the security of the Defense Industrial Base and the critical information contained therein. Businesses either currently involved in, or hoping to bid on, contracts with the U.S. Department of Defense must soon prove their commitment to cybersecurity before being allowed to even bid on new work – in perhaps as little as one year from now.

A New Cybersecurity Requirement in Less Than a Year….

This new effort is led by the DoD’s Undersecretary for Defense for Acquisition and Sustainment and is called the Cybersecurity Maturity Model Certification (CMMC) program. Under this new program, prior to bidding on and winning contract work, companies must undergo a cybersecurity assessment by an authorized 3rd-party assessor. These assessors will use security control frameworks such as NIST SP 800-171, ISO 27001, NIST SP 800-53 and others to evaluate the maturity and effectiveness of a company’s cybersecurity program. Once assessed, a rating between 1 and 5 is assigned, with 1 being basic compliance and 5 indicating advanced and comprehensive compliance.

Security Assessments by Authorized Assessors

According to the Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, starting mid CY2020 contracts will include a Cybersecurity Maturity Model Certification (CMMC) rating requirement of 1 to 5. To respond and bid on this work, the responding company must hold a CMMC rating of equal or greater value than that specified in the Request for Proposal (RFP). This rating must have been earned through an assessment by an authorized assessor, recognized by the Department of Defense. These assessors are intended to be independent entities, not associated with other products or services sold to the government or its contractors.

CMMC Ratings

The CMMC required rating is based on the sensitivity of the information associated with, or generated in support of, the contract work. We expect that most contracts will require a rating of 1 to 3, with 1 being associated with contracts for which little to no sensitive information is generated, up to 3 for those that may included sensitive information categorized as controlled unclassified information (CUI) and special access to government systems and facilities. The ratings of 4 to 5 will likely be reserved for programs with additional sensitive information, plans, technology and other unique requirements.

The Resource Challenge

Obviously, this effort is intended to stem the tide of U.S. intellectual property and critical data being stolen by U.S. adversaries. We have all heard the many reports of exploits, compromises and data leaks that plague not only our Defense Industrial Base (DIB), but also our commercial and personal interests. From this perspective, such an effort is commendable though daunting. Many small business have only recently come to terms with the security requirements for handling CUI which went into effect less than 2 years ago, and remains a challenge. The CMMC requirement poses another significant challenge to resource-constrained small businesses. The Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, speaking at various recent conferences, has noted that a mechanism is planned to allow reimbursement for some of the cybersecurity costs via allowable charges in contract terms.

An Aggressive Timeline

While the DoD has been pressing for increased DIB cybersecurity since the introduction of NIST SP 800-171 and DFARS 7012, the Cybersecurity Maturity Model Certification program was rapidly introduced with details still slow to emerge. A number of announcements and discussion sessions are underway and representatives from OUSD(A&S) are speaking at various defense conferences. The announced timeline thus far includes published CMMC version 1.0 standards by the end of January 2020, assessment organizations offering services soon after, and government requests for proposals (RFP) and requests for information RFI) including CMMC requirements by June 2020 with contracts requiring assessed compliance soon after.

Assured Bridge is your Compliance Partner

The Assured Bridge Team is following these developments closely to ensure our secure environment services are commensurate with the CMMC requirements, while maintaining and improving compliance with the NIST SP 800-171 framework. We envision that adherence with NIST SP 800-171 standards will meet the vast majority of requirements for CMMC levels 1-3. We have begun designs for improvements to support those customers requiring compliance to levels 4-5 as well. We remain committed to providing secure and compliant operations environments and resource knowledge that our customers can depend on to protect their sensitive information and meet the U.S. government’s compliance objectives.

The United States Office of the Under Secretary of Defense for Acquisition & Sustainment, Cybersecurity Maturity Model Certification has created a web site with information that will be updated as the program matures:

Posted on

Multifactor Authentication – Raising the Bar

mulit factor authentication

Organizations doing business with the U.S. Government, or planning to do so, must consider the potential for increased cybersecurity requirements. Contracts that include the creation, communication and/or storage of controlled unclassified information (CUI) are specifically encumbered by the requirements described in NIST SP 800-171: Protecting Controlled Unclassified Information in NonfederalSystems and Organizations. Additional controls may be imposed if the contract serves the Department of Defense and includes covered defense information. These additional measures can be found outlined in DFARS Clause 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting.

Continue reading Multifactor Authentication – Raising the Bar
Posted on

Business Operating Policies Enable Compliance

business operating policies for cyber security

Compliance with the security controls described in NIST SP 800-171 Revision 1 and DFARS Clause 252.204-7012 is required for organizations doing business with the U.S. Federal Government that involves the transfer, storage and processing of controlled unclassified information (CUI) and/or covered defense information (CDI).

Continue reading Business Operating Policies Enable Compliance
Posted on

Information System Maintenance and Compliance for CUI Protection

Information System Maintenance & Compliance for CUI Protection

Maintenance Required

If you’re a small business working on a government contract that includes requirements for protection of controlled unclassified information CUI, it’s important to remember that remaining compliant is a continuous process. National Institute of Standards and Technology Special Publication 800-171 contains the guidelines for establishing and maintaining the required security processes and controls inherent in many contract terms. These requirements include maintaining and updating the systems used in support of the contract efforts.

Continue reading Information System Maintenance and Compliance for CUI Protection
Posted on

Credential Stuffing and NIST SP 800-171

Credential Stuffing & NIST SP 800-171

Businesses face a growing number of vulnerabilities and adversarial tactics aimed at compromising the information they hold dear. The data entrusted to organizations in support of government contracts is of great value to those with malicious intent. While compliance with NIST SP 800-171 may be compulsory for your government contract, it also supports business goals for operational security and risk management.

Continue reading Credential Stuffing and NIST SP 800-171
Posted on

NIST SP 800-171 Control Families – Overview

NIST SP 800-171 Control Families Overview

For non-governmental organizations that do, or hope to do, business with the U.S. government, careful consideration must be given to whether controlled unclassified information is part of the specified contract work. Controlled unclassified information (CUI) is sensitive in nature and is restricted from public distribution. This is not classified information, rather products or by-products of contract government work that has been deemed to deserve additional protections.

Continue reading NIST SP 800-171 Control Families – Overview
Posted on

World Backup Day and NIST SP 800-171

world backup day and nist sp 800-171

Backups and Archiving

World Backup Day is March 31st – a whole day to help remind us to ensure our valuable information is properly protected and available should the need arise. Obviously, valid backup and recovery is a foundational component of incident response and information security. An incident could be a system malfunction, user error or adversarial maliciousness.

Continue reading World Backup Day and NIST SP 800-171
Posted on

NIST SP 800-171 and DFARS Clause 7012

NIST SP 800-171 & DFARS Clause 7012 .

New Cyber Security Regulations

For small businesses planning to business with the U.S. Government and Department of Defense, new cyber security and incident reporting rules will apply. The rules can impact your contract work and the data sent, received or created as part of those efforts. These rules are primarily codified in the National Institute for Science and Technology Special Publication 800-171 Privacy Controls for Federal Information Systems and Organizations and Clause 252.204-7012 to the Defense Federal Acquisition Regulation Supplement.

Continue reading NIST SP 800-171 and DFARS Clause 7012
Posted on

Email Security and NIST SP 800-171 Compliance

email security Nist compliance

Like most everyone else, we use email services daily in our small business activities. From general announcements to document and file sharing, email is ubiquitous. Adversaries have long known this fact as well and is evidenced by the amount of spam and malicious email we see in our inboxes. In fact, worldwide, more than half of the email we receive can be attributed to unwanted spam, advertising or phishing. Phishing, of course, being one of the most concerning as senders attempt to extract important information or credentials from victims.

Continue reading Email Security and NIST SP 800-171 Compliance