Cybersecurity Maturity Model Certification (CMMC)
CMMC is the DOD’s new requirement to allow you to win new contracts
Cybersecurity Maturity Model Certification (CMMC) is now becoming a requirement for all DoD contractors. CMMC is the DoD cybersecurity standard being deployed initially throughout the defense industrial base (DIB) supply chain and is in response to significant and ongoing compromises related to sensitive defense information located on commercial vendors’ systems. How you address the process of becoming compliant can directly affect the future of your business with the government. Failure to attain compliance will preclude you from bidding on future DOD RFP’s. Whether you are familiar or not with all that entails CMMC, JANUS can assist you with undertaking the process and guide you to becoming compliant. Our subject matter experts can guide you through the steps and help you streamline your process.
The 5 Levels of CMMC Certification
The CMMC framework sets forth 5 distinct levels of certification. Each level achieved indicates the level of cyber security improvements a company has taken and reflects the maturity of the firm’s cyber security infrastructure to protect sensitive government information. The levels are tiered in such a way that they build upon the previous levels’ technical requirements and adds additional practices to strengthen cyber security. New RFP’s issued by DoD will specify the level of compliance necessary to respond.
Level 1 – Basic Cyber Hygiene: Companies must perform “basic cyber hygiene” practices, including the use of A.V. software and enforcing regular password change to protect Federal Contract Information which is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” It does not include public information or certain transactional information.
Level 2 – Intermediate Cyber Hygiene: Companies are required to document certain “intermediate cyber hygiene” practices in order to begin protecting all Controlled Unclassified Information (CUI). This is accomplished through implementation of specific National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 Rev. 2 requirements. CUI is “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls,” but does not include certain classified information
Level 3- Good Cyber Hygiene: Companies are required to have an established management plan in place designed to implement “good cyber hygiene” practices. This includes safeguarding all CUI. The plan must include all the NIST 800-171 r2 security requirements as well as additional standards.
Level 4 – Proactive Cyber Hygiene: Companies must have deployed processes to review and measure the efficacy of procedures. They must also establish enhanced practices necessary to detect and respond to the changing tactics, techniques, and methods utilized in advanced persistent threats (APTs). The term advanced persistent threat (APT) describes an attack campaign where the intruder creates a long- term existence on a network allowing him to surveil network operations and exfiltrate sensitive data. Companies must have deployed processes to review and measure the efficacy of procedures. They must also establish enhanced practices necessary to detect and respond to the changing tactics, techniques, and methods utilized in advanced persistent threats (APTs). The term advanced persistent threat (APT) describes an attack campaign where the intruder creates a long- term existence on a network allowing him to surveil network operations and exfiltrate sensitive data.
Level 5 – Advanced and Progressive Cyber Hygiene: Full compliance is achieved when companies have attained standardization and full optimization of security processes across the entire Enterprise. This includes enhanced practices that provide additional advanced capabilities designed and properly deployed to detect and act in response to APTs.
There are lots of questions surrounding CMMC, such as what is required of DoD vendors, timelines, and the actual implementation. We have assembled a comprehensive FAQ for your reference. Of course, you can always contact us if you would like to discuss CMMC with a JANUS professional.
A Roadmap for Planing Your CMMC Success
Step 1. If you haven’t already done so, it is vital that you assess your organization against the standards set forth in NIST 800-171. NIST 800-171 mandates contractors and subcontractors to “periodically assess the security controls in organizational systems to determine if the controls are effective.”
Step 2. The next step in the process is to create or update your existing System Security Plan (SSP). if you don’t have one, you will need to develop an SSP now. Your plan must identify your policies, network diagrams, and interoperability to other systems within your enterprise. If you already have an SSP, you are required to update it on an annual basis or more frequently if major changes have occurred.
Step 3. Prepare your Plan of Action & Milestones. The POA&M you create will clearly spell out your plans for any remediation efforts needed. You also should include timelines and who will be responsible to implement the activities.
Step 4. You’ve come this far, and now it’s time to implement your remediation plan. This requires expertise in the NIST 800-171 requirements and may be time consuming and seem laborious but is going to now be required by the government. This course of action will protect your future DoD revenue stream.
Step 5. The final step is to maintain your compliance. In the long haul, this may become the most difficult aspect of CMMC certification. Maintaining compliance will require frequent activity on your part and unless you have cyber security expertise, can be complex. Well-documented and actionable activities that address the ongoing requirements of the DoD security standards will allow you to organize tasks into manageable activities.
How JANUS Can Help You Achieve CMMC Compliance
With over three decades of security and compliance experience, JANUS can help you with any and all phases of becoming CMMC compliant. Our subject matter experts understand CMMC and all aspects of cyber security. It should be noted that while there are currently no officially certified CMMC assessors, practitioners or providers, JANUS is one of the earliest registrants for this. We are ready to assist you in assessing your operations, in deciding what lowest level of maturity will suffice for your business, and helping you to determine the most cost effective way to obtain your certification.
We can help with all five road map steps outlined above, and we are always available to answer any questions you may have regarding your firm attaining compliance. Reach out to us by email, web-form, or phone (203.251.0200) to discuss your current state of readiness, and where you would ultimately like to be.