Are you ready for CMMC requirements?
The Cybersecurity Maturity Model Certification (CMMC) is already taking the defense industry by storm. A new, five-level compliance standard from the U.S. Department of Defense, CMMC establishes the guidelines that your organization must adhere to in order to work on future DoD contracts.
What Is CMMC?
A Brief Overview
The five-level, pass or fail system determines not only what specific Defense contracts your company can work on, but whether or not your company is eligible to work on Defense contracts at all. Luckily, Sabre On Point can assist your company in preparing for CMMC and continuing to work in the defense industry.
The Cybersecurity Maturity Model Certification incorporates various cybersecurity standards and “best practices” that are mapped across several maturity levels ranging from: 1 (Basic Cyber Hygiene) to 5 (Advanced), each building off of the last.
Each level has associated compliance processes, that, when implemented, will reduce risks against a specific set of cyber threats.
How Does It Work?
A Two-Entity Approach
Auditors: Independent auditors will conduct evaluations based on the desired CMMC certification level (1-5) and determine if the DoD contractor is compliant.
Department of Defense: The DoD will measure compliance with the DFARS and NIST requirements to ensure contractors are handling sensitive unclassified information properly.
CMMC Level Overview
Demonstrate basic cyber hygiene, as defined by the Federal Acquisition Regulation (FAR).
- Demonstrate intermediate cyber hygiene.
- Standard operating procedures, policies, and plans established for all practices.
- Demonstrate good cyber hygiene and effective NIST SP 800-171 Rev. 1 Security Requirements.
- All activities are reviewed for adherence to policy and procedure and are adequately resourced.
- Demonstrate a substantial and proactive cybersecurity program.
- All activities are reviewed for effectiveness and management is informed of any issues.
- Demonstrate a proven ability to optimize capabilities in an effort to repel advanced persistent threats.
- All activities are standardized across all applicable organizational units and identified improvements are shared.
Who Is Affected and How?
- Teams and Subcontracting: Potential for Stricter Vendor Approval Processes With Larger Firms
- Small Business Vendors and Start-Ups: Potential Barrier For Entry
Risks of Noncompliance
- Pass/Fail Evaluation
- 21 Additional Controls Beyond NIST SP 800-171; No Falling Back on SSP or POA&M.
- Failure Bars You From Work on DoD Contracts.
- A Low Score Limits Your Contract Availability.
- All Primes and Subs MUST Have a CMMC Certification Prior To Contract Award.
What Major Challenges Are There?
- Migration to Office 365 GCC High
- SIEM Solutions
- Backup Solutions
- Managing Non-Supporting Hardware/Software
- Identifying, Categorizing, and Labelling CUI