Be Prepared for New Defense Department IT Security Guidelines
The Department of Defense has issued new cybersecurity guidelines for contractors. Learn how the new CMMC rules compare to other mandates and how to prepare.
Federal Contractors IT Security Guidelines
Federal contractors today face a dizzying array of IT security guidelines. Understanding the differences in these constructs and how to apply them to your business is essential for anyone wanting to do business with federal agencies and other governmental entities.
The Department of Defense is rolling out a new set of cybersecurity standards, dubbed the Cybersecurity Maturity Model Certification (CMMC) program. The CMMC is slated to take effect with requests for proposals as of June 2020. It incorporates and shares many similarities with other cybersecurity guidelines used in other contexts, including NIST SP 800-171 and the Federal Acquisition Regulations (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS).
What’s more, these structures rely on two other concepts — Controlled Unclassified Information (CUI) and Zero Trust Architecture. It’s enough alphabet soup to give any IT executive or C-level official a bad stomach ache.
Let’s start with the data these guidelines are seeking to protect.
What Is CUI?
Controlled Unclassified Information is the collection of unclassified data that needs to be protected by nongovernment entities. It generally covers information that falls under one of the following categories:
- Information identified in a government contract
- Information provided by the Defense Department to a contractor
- Information created by a contractor during the execution of a government contract
The information deemed CUI varies, falling into various categories. For example, patent applications and inventions are considered CUI. part of one CUI category. Another category covers privacy data, including death records, genetic information, health information, student records, personnel records and military records.
The data covered is clearly sensitive and merits protection. Federal agencies have, over time, used various methodologies to ensure that contractors are keeping that data secure.
What Is Zero Trust Architecture?
In late 2019, the Commerce Department’s National Institute of Standards and Technology unveiled a new set of standards, including terms and definitions intended to help organizations adopt a Zero Trust Architecture approach. ZTA is a concept that is an increasingly popular approach to network security.
Historically, network security has focused on wide network perimeters. With ZTA, that focus instead narrows to a small group of resources or individuals. There’s a fundamental lack of trust with ZTA. Being a part of a local area network or located on-premises is no longer adequate cover.
With ZTA, access is granted only when a resource is required. And both the user and device are authenticated before a connection is established.
The shift to ZTA is driven by the dramatic growth in cloud applications and remote users. Perimeter is no longer the right focus for network security. ZTA instead focuses on protecting resources.
What Are the New DoD Cybersecurity Requirements?
Before looking at the new CMMC guidelines, it’s important to note the general guidelines used for federal contracting. FAR is a set of guidelines that regulate how businesses do work with the federal government. FAR guidelines include some basic rules regarding cybersecurity that contractors must follow.
DFARS is a set of guidelines specific to contractors working with the Defense Department, requiring vendors to provide adequate security and report cyber incidents promptly.
For many years, NIST SP 800-171 was the standard for contractor cybersecurity and how DFARS compliance was met. NIST SP 800-171 guidelines require contractors and subcontractors to demonstrate compliance with IT security in 14 categories covering technical areas such as incident response, configuration management and maintenance schedules. They also cover training, policies, risk assessment and physical security. Within those 14 categories are 110 specific points of compliance.
CMMC is poised to take over as the primary regulatory structure for IT security, prompted by a rash of data breaches and concerns that the NIST mandates do not provide enough protection.
The other issue is the self-reporting nature of some NIST SP 800-171 components. That means less-scrupulous contractors who do not apply the same rigor (and associated cost) may be at an advantage when bidding for DoD contracts.
CMMC is structured around five levels of compliance. Basic cyber hygiene, the first level, meets the most basic federal standards for safeguarding contractors’ information systems. NIST SP 800-171 maps to the middle level under CMMC (good cyber hygiene). It’s the level contractors must achieve to access CUI.
Two upper levels of compliance are reserved for contractors that demonstrate a more robust defense against advanced and sustained cyberattacks.
How Does CMMC Help the Department of Defense?
For the Defense Department, CMMC is designed to help the agency simplify the evaluation of potential contractors. For one, DoD contracts will define at what CMMC level a contractor must be certified to bid on the contract. It also helps level the playing field with contractors that had previously been self-reporting many of the compliance requirements.
Businesses can become certified via an independent third-party evaluator, though the duration of the certification has not yet been set.
What Can My Business Do To Meet CMMC Requirements?
LaScala IT works with businesses to keep data and systems protected. Our cybersecurity assessment tools help businesses prepare for CMMC evaluations and deliver ongoing compliance management solutions. Learn more about how LaScala IT can keep your business compliant and protected by contacting us today.