Why Did The DoD Create CMMC and How Can Companies Comply With It?
The Department of Defense is eager to ensure that the more than 300,000 companies in its supply chain are fully immune to cybercriminals and it’s not hard to see why. The DoD oversees all branches of the United States military and possesses crucial information that hackers and even rogue foreign nations would love to get its hands on. What’s more, the Department of Defense has suffered some humiliating breaches in the last few years. In late 2018, a data breach targeting the DoD’s travel record system exposed the personal information of 30,000 individuals. In the latter half of 2019, the Defense Information Systems Agency informed its employees that it has experienced a security incident in May or June 2019 that may have exposed personal information. To make matters worse, a Pentagon-sanctioned penetration test of the DoD’s systems found 31 vulnerabilities, including nine high-severity ones. The ethical hackers conducting the test were even able to access an F-15 Eagle fighter jet system, although the Pentagon has refused to reveal if the incident could be replicated when the jet is in flight.
The Department of Defense has long known that cyberattacks could pose a grave threat to its operations. To counter these threats, it set in place the Defense Acquisition Federal Regulation Supplement (DFARS) to encourage DoD contractors to adopt NIST SP 800-171 cybersecurity standards. Contractors that did meet DFARS standards were to be given a competitive advantage when bidding on contracts, so many contractors did make an effort to meet the required standards either on their own or with the help of an IT managed service company. However, other contractors never bothered with trying to comply with DFARS standards, and some even stated falsely that they were compliant when this was not the case. Due to the slow adoption rate, DoD decided to roll out the CMMC.
What is CMMC?
Cybersecurity Maturity Model Certification (CMMC) has been in the works for some time. It was first released in January 2020 but has been updated twice since then. University Affiliated Research Centers, Federally Funded Research and Development Centers, and industry experts all played a role in the creation of the certification, which is divided into five levels:
- Level One is the basic level. To pass an audit for this level, a DoD contractor will need to implement basic cybersecurity best practices such as using an updated antivirus software program and ensuring employees select strong passwords and change them regularly. This level is suitable for contractors who are working with Federal Contract Information; that is, information not available to the general public that is provided to a contractor so the contractor can provide products and/or services to the DoD.
- Level Two is an intermediate level. To reach this level a company has to meet nearly 50 controls from NIST 800-171 plus seven new controls that have not yet been outlined. Companies at this level have access to, and are required to protect, Controlled Unclassified Information.
- Level Three is an advanced intermediate level. Companies at this level must meet all NIST 800-171 r2 cybersecurity requirements along with thirteen new controls. Level Three companies must also have institutionalized management plans in place to ensure all employees are adhering to good cyber hygiene practices.
- Level Four is advanced. At this level, contractors are required to have the resources and expertise needed to deter and respond to advanced persistent threats (APTs). APTs are defined as being any cybercriminal with a high level of expertise and the term includes not just individual hackers but also foreign nations. Level Four companies are also required to implement nearly a dozen NIST 800-171 RevB controls plus fifteen additional controls.
- Level Five is extremely advanced. Companies at this level must have sophisticated abilities to detect and respond to any type of advanced persistent threat. Level five companies must also adhere to additional NIST 800-171 RevB controls and eleven additional controls. Furthermore, a business with Level Five certification must be able to continually improve its cybersecurity capabilities to withstand evolving cybersecurity threats.
The Department of Defense is working with the CMMC Accreditation Body to create procedures that would provide Third-Party Assessment Organizations with the certification needed to evaluate DoD contractors and assign these contractors a level based on their cybersecurity capabilities. Additionally, government program managers would be tasked with reviewing a business should a cyberattack occur. A cybersecurity incident would not necessarily result in a loss of CMMC certification but such an outcome is a real possibility. What’s more, contractors presently wouldn’t have the right to appeal a government program manager’s decision although the DoD has indicated that it will create an appeals process at some point in the future.
The Pentagon won’t require CMMC certification for all its contractors until 2026 but program implementation is already on track. The DoD was slated to begin including minimum certification requirements from June 2020 onwards, which means CMMC has already impacted a select number of contractors that now must obtain certification in order to obtain “request for proposals” (RFPs) for certain contracts.
Why Did the DoD Create CMMC Levels?
The required certification level depends on the type of information a contractor is working with. Companies that don’t handle classified or top-secret information won’t need a high level of certification while companies that work with highly classified information will be held to a high cybersecurity standard. The variance in standards enables small firms to partner with the DoD even if they are not able to afford costly cybersecurity upgrades needed to become a top-level company.
These levels also make it easy for subcontractors to partner with certified DoD contractors to provide needed products and/or services. Subcontractors, like prime contractors, will be required to obtain CMMC certification; however, they won’t necessarily have to obtain the same level of certification as the company they are working with. For instance, a subcontractor with a Level One certificate could be allowed to work with a company with Level Four or Level Five certification as long as the highly certified company does not share information with the Level One company that surpasses that company’s level of certification.
How Can Companies Comply with CMMC Requirements?
IT experts agree that contractors and subcontractors need to start now if they hope to successfully obtain CMMC certification when the time comes. It will take time for a company to successfully meet all the CMMC requirements for its desired level of certification. What’s more, companies that don’t prepare in advance may not be able to schedule an audit in time to receive certification in advance of bidding for a desired DoD contract.
A company can handle the preparations and assessments in-house or outsource the task to a managed security service provider that offers CMMC compliance services. The latter course of action is highly recommended even if your company has an in-house IT department. Your in-house IT experts will need to manage day-to-day IT operations such as software updates, IT assistance to employees, data collection and assessment, software development, IT help services, and a host of other ongoing tasks. Adding to your team by partnering with a knowledgeable IT managed service firm will provide you with extra manpower to keep your current IT set-up flowing smoothly as you prepare to make needed upgrades.
Introducing LaScala IT
Obtaining CMMC certification can be a formidable challenge; even so, it’s not the end goal in itself. Companies that want to successfully work with the DoD now and in the future will need to have a strong internal cybersecurity culture and the ability to detect and deal with a wide range of cyberthreats. A secure, reliable IT set-up will enable your business to stand out from competing CMMC-certified companies. It will provide you with the cutting-edge tools and capabilities you need to offer stellar services at a reasonable price. It will provide your employees with the technology they need to do their jobs quickly and efficiently, thus improving office morale and reducing employee turnover. Furthermore, an ideal IT set-up gives business owners and busy company executives the time they need to focus on core business goals
LaScala IT is an IT managed service provider that specializes in CMMC compliance and offers a host of IT tools and services you need to keep your IT set-up running at optimal speed and performance at all times. We offer:
- Extensive experience helping companies understand and become compliant with NIST regulations that are at the heart of the new CMMC certification guidelines.
- Managed IT security services that will monitor your network 24 hours a day, seven days a week, 365 days a year. Our monitoring service not only proactively deals with potential vulnerabilities that could lead to a breach but also detects and isolates potential attacks.
- Penetration testing that allows knowledgeable, experienced “ethical hackers” to regularly assess your IT defenses and identify weak areas that could be exploited by a malicious third party.
- Compliance management to ensure your business is in step not only with CMMC certification requirements but also local, state, and federal industry requirements.
- IT consulting that offers tailored, industry-specific advice that will help you improve overall IT security and performance
- Endpoint protection to ensure that remote workers and third-party suppliers connecting to your network are not introducing vulnerabilities that could lead to a breach. Our protection also covers mobile devices that employees and subcontractors may use to handle jobs for your company.
- Cybersecurity training for all staff members, coupled with ongoing testing to ensure your company employees are adhering to best cybersecurity procedures. Given the fact that more than 40% of security breaches are caused by employee error, ongoing IT cybersecurity training is one of the most efficient ways to keep your business secure from cybercriminals. We will help your employees understand the importance of selecting strong passwords, using two-factor authentication, and give practical instruction on recognizing potentially dangerous emails and pop-ups. We also offer instruction on how to recognize potential ransomware attacks and what to do if they detect one in progress.
- IT managed services to ensure your IT set-up is in good working order at all times. If something goes wrong, we immediately assign the technician who is best able to deal with the problem to address the issue. Our managed services also include regular software upgrades, license renewals, and other mundane yet important IT tasks.
- Access to the best IT products and services via our partnership with leading technology companies such as Dell, Fortinet, Carbon Black, Microsoft, CloudSAFE, ConnectWise, Lenovo, VMWare, and Ring Central.
Is your business struggling to understand and implement NIST guidelines? Alternatively, are you NIST compliant but don’t understand the new CMMC guidelines and how they will impact your company? If so, we can offer customized, personalized advice and expertise to help you upgrade your IT department to meet new CMMC requirements. Our veteran-led company has been in business since 2010 and we have ample experience working with DoD contractors and subcontractors to create secure, optimized IT set-ups that will meet a business’s current and future needs. Get in touch with us at your convenience to learn more about IT tools and services or to schedule an appointment with an expert CMMC consultant.