Posted on

A Headstart to Cybersecurity Maturity Model Certification (CMMC)

head start to cyber security maturity model certification

Cybersecurity Compliance

The U.S. Department of Defense (DoD) is planning to implement a new cybersecurity compliance program called Cybersecurity Maturity Model Certification (CMMC). Under this new initiative, any company planning to do business with the DoD must first be evaluated by a 3rd party assessor and receive a CMMC rating. That rating must meet the requirements for the contract request for proposal. In my previous article, Cybersecurity Maturity Model Certification, we note the timeline for implementation of this new program is rather aggressive, perhaps in as little as one year from now. Since the CMMC rating will be prerequisite to even submitting a contract bid, how can small business proactively set conditions for their future success?

How to prepare for CMMC

It’s important to note that CMMC is not just a stack of paperwork. Rather, it is an affirmation that business processes include appropriate security controls that regulate processes, people, and technology to protect government and company information and systems. Obviously, this level of process control, like any other business workflow, doesn’t happen overnight or with a stroke of the pen. It requires planning, coordination, training, implementation and oversight. All those take time and, quite frankly, significant resources. So, it is important to start now to mature your CMMC program prior to 3rd party assessment in less than a year.

CMMC is tightly coupled with the requirements for protecting controlled unclassified information (CUI) and controlled defense information (CDI) per the guidelines in NIST SP 800-171 revision 1 and DFARS Clause 7012. These two references will likely not be the only guidance that informs CMMC. Since protection of CUI and CDI is the primary goal of the government’s logistics and supply chain security efforts, we expect that applying the standards of NIST SP 800-171 and DFARS Clause 7012 will meet the majority of CMMC requirements and ensure your cybersecurity program is implemented and maturing.

The United States Office of the Under Secretary of Defense for Acquisition & Sustainment has created a web site with information that will be updated as the program matures: https://www.acq.osd.mil/cmmc/index.html.

Assured Bridge is your Compliance Partner

The Assured Bridge Team is following these developments closely to ensure our secure environment services meet the CMMC requirements, while maintaining and improving compliance with the NIST SP 800-171 framework. We envision that adherence to NIST SP 800-171 and DFARS Clause 7012 standards will meet the vast majority of requirements for CMMC levels 1-3. We have begun designs for improvements to support those customers requiring compliance to levels 4-5 as well. We remain committed to providing secure and compliant operations environments and resource knowledge that our customers can depend on to protect their sensitive information and meet the U.S. government’s security objectives to protect our nation’s interests, information and intellectual property.

We know these changes are happening fast and some of the details and requirements can be confusing or contrary. Not all small businesses have the resources needed to stay abreast of these developments, not to mention implementing the necessary business process changes. We’re here to help. Feel free to contact us to help build your cybersecurity program and team. Our contact information is available at https://assuredbridge.com.

Posted on

Cybersecurity Maturity Model Certification

Cybersecurity Maturity Model Certification

The U.S. Department of Defense continues it’s push to strengthen the security of the Defense Industrial Base and the critical information contained therein. Businesses either currently involved in, or hoping to bid on, contracts with the U.S. Department of Defense must soon prove their commitment to cybersecurity before being allowed to even bid on new work – in perhaps as little as one year from now.

A New Cybersecurity Requirement in Less Than a Year….

This new effort is led by the DoD’s Undersecretary for Defense for Acquisition and Sustainment and is called the Cybersecurity Maturity Model Certification (CMMC) program. Under this new program, prior to bidding on and winning contract work, companies must undergo a cybersecurity assessment by an authorized 3rd-party assessor. These assessors will use security control frameworks such as NIST SP 800-171, ISO 27001, NIST SP 800-53 and others to evaluate the maturity and effectiveness of a company’s cybersecurity program. Once assessed, a rating between 1 and 5 is assigned, with 1 being basic compliance and 5 indicating advanced and comprehensive compliance.

Security Assessments by Authorized Assessors

According to the Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, starting mid CY2020 contracts will include a Cybersecurity Maturity Model Certification (CMMC) rating requirement of 1 to 5. To respond and bid on this work, the responding company must hold a CMMC rating of equal or greater value than that specified in the Request for Proposal (RFP). This rating must have been earned through an assessment by an authorized assessor, recognized by the Department of Defense. These assessors are intended to be independent entities, not associated with other products or services sold to the government or its contractors.

CMMC Ratings

The CMMC required rating is based on the sensitivity of the information associated with, or generated in support of, the contract work. We expect that most contracts will require a rating of 1 to 3, with 1 being associated with contracts for which little to no sensitive information is generated, up to 3 for those that may included sensitive information categorized as controlled unclassified information (CUI) and special access to government systems and facilities. The ratings of 4 to 5 will likely be reserved for programs with additional sensitive information, plans, technology and other unique requirements.

The Resource Challenge

Obviously, this effort is intended to stem the tide of U.S. intellectual property and critical data being stolen by U.S. adversaries. We have all heard the many reports of exploits, compromises and data leaks that plague not only our Defense Industrial Base (DIB), but also our commercial and personal interests. From this perspective, such an effort is commendable though daunting. Many small business have only recently come to terms with the security requirements for handling CUI which went into effect less than 2 years ago, and remains a challenge. The CMMC requirement poses another significant challenge to resource-constrained small businesses. The Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, speaking at various recent conferences, has noted that a mechanism is planned to allow reimbursement for some of the cybersecurity costs via allowable charges in contract terms.

An Aggressive Timeline

While the DoD has been pressing for increased DIB cybersecurity since the introduction of NIST SP 800-171 and DFARS 7012, the Cybersecurity Maturity Model Certification program was rapidly introduced with details still slow to emerge. A number of announcements and discussion sessions are underway and representatives from OUSD(A&S) are speaking at various defense conferences. The announced timeline thus far includes published CMMC version 1.0 standards by the end of January 2020, assessment organizations offering services soon after, and government requests for proposals (RFP) and requests for information RFI) including CMMC requirements by June 2020 with contracts requiring assessed compliance soon after.

Assured Bridge is your Compliance Partner

The Assured Bridge Team is following these developments closely to ensure our secure environment services are commensurate with the CMMC requirements, while maintaining and improving compliance with the NIST SP 800-171 framework. We envision that adherence with NIST SP 800-171 standards will meet the vast majority of requirements for CMMC levels 1-3. We have begun designs for improvements to support those customers requiring compliance to levels 4-5 as well. We remain committed to providing secure and compliant operations environments and resource knowledge that our customers can depend on to protect their sensitive information and meet the U.S. government’s compliance objectives.

The United States Office of the Under Secretary of Defense for Acquisition & Sustainment, Cybersecurity Maturity Model Certification has created a web site with information that will be updated as the program matures: https://www.acq.osd.mil/cmmc/index.html.

Posted on

Multifactor Authentication – Raising the Bar

mulit factor authentication

Organizations doing business with the U.S. Government, or planning to do so, must consider the potential for increased cybersecurity requirements. Contracts that include the creation, communication and/or storage of controlled unclassified information (CUI) are specifically encumbered by the requirements described in NIST SP 800-171: Protecting Controlled Unclassified Information in NonfederalSystems and Organizations. Additional controls may be imposed if the contract serves the Department of Defense and includes covered defense information. These additional measures can be found outlined in DFARS Clause 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting.

Continue reading Multifactor Authentication – Raising the Bar
Posted on

Business Operating Policies Enable Compliance

business operating policies for cyber security

Compliance with the security controls described in NIST SP 800-171 Revision 1 and DFARS Clause 252.204-7012 is required for organizations doing business with the U.S. Federal Government that involves the transfer, storage and processing of controlled unclassified information (CUI) and/or covered defense information (CDI).

Continue reading Business Operating Policies Enable Compliance
Posted on

Information System Maintenance and Compliance for CUI Protection

Information System Maintenance & Compliance for CUI Protection

Maintenance Required

If you’re a small business working on a government contract that includes requirements for protection of controlled unclassified information CUI, it’s important to remember that remaining compliant is a continuous process. National Institute of Standards and Technology Special Publication 800-171 contains the guidelines for establishing and maintaining the required security processes and controls inherent in many contract terms. These requirements include maintaining and updating the systems used in support of the contract efforts.

Continue reading Information System Maintenance and Compliance for CUI Protection
Posted on

NIST SP 800-171 Control Families – Overview

NIST SP 800-171 Control Families Overview

For non-governmental organizations that do, or hope to do, business with the U.S. government, careful consideration must be given to whether controlled unclassified information is part of the specified contract work. Controlled unclassified information (CUI) is sensitive in nature and is restricted from public distribution. This is not classified information, rather products or by-products of contract government work that has been deemed to deserve additional protections.

Continue reading NIST SP 800-171 Control Families – Overview
Posted on

World Backup Day and NIST SP 800-171

world backup day and nist sp 800-171

Backups and Archiving

World Backup Day is March 31st – a whole day to help remind us to ensure our valuable information is properly protected and available should the need arise. Obviously, valid backup and recovery is a foundational component of incident response and information security. An incident could be a system malfunction, user error or adversarial maliciousness.

Continue reading World Backup Day and NIST SP 800-171
Posted on

NIST SP 800-171 and DFARS Clause 7012

NIST SP 800-171 & DFARS Clause 7012 .

New Cyber Security Regulations

For small businesses planning to business with the U.S. Government and Department of Defense, new cyber security and incident reporting rules will apply. The rules can impact your contract work and the data sent, received or created as part of those efforts. These rules are primarily codified in the National Institute for Science and Technology Special Publication 800-171 Privacy Controls for Federal Information Systems and Organizations and Clause 252.204-7012 to the Defense Federal Acquisition Regulation Supplement.

Continue reading NIST SP 800-171 and DFARS Clause 7012
Posted on

Email Security and NIST SP 800-171 Compliance

email security Nist compliance

Like most everyone else, we use email services daily in our small business activities. From general announcements to document and file sharing, email is ubiquitous. Adversaries have long known this fact as well and is evidenced by the amount of spam and malicious email we see in our inboxes. In fact, worldwide, more than half of the email we receive can be attributed to unwanted spam, advertising or phishing. Phishing, of course, being one of the most concerning as senders attempt to extract important information or credentials from victims.

Continue reading Email Security and NIST SP 800-171 Compliance
Posted on Leave a comment

Compliance is a Shared Responsibility

    At Assured Bridge, we’ve created services that help businesses meet their security and compliance requirements as described by NIST SP 800-171 and DFARS Clause 7012. It’s important to note that I say “help” here; not all security controls and processes needed can be purchased. Part of the compliance effort involves changes to how your company operates.

Continue reading Compliance is a Shared Responsibility