In response to a series of high-profile breaches of DoD information, DoD’s newest framework and standard for cybersecurity: Cybersecurity Maturity Model Certification (CMMC).

What is CMMC?

The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent of the CMMC is to combine various cybersecurity control standards into one unified standard for cybersecurity.

All companies doing business with the Department of Defense will need to obtain CMMC.

Understanding Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) will be a new requirement for existing DoD contractors, replacing the self-attestation model and moving towards third party certification.

How it will affect your organization?

All companies conducting business with the DoD must be certified. The maturity level required is based on each individual contract’s terms that the contractor intends to bin on with the DOD.

How can my organization become certified?

Certification processes are still in its development phases by the CMMC-AB and may be subject to change. However, under the current guidelines, your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.

How to Prepare for the CMMC

eTrepid advises focusing on what you are required to do today as the best approach to current and future compliance requirements. Nothing that has been proposed eliminates the requirement to implement NIST 800-171.

There is no easy way to achieve compliance with all 110 security requirements and CMMC is still an evolving model, but the most effective way to guarantee long term success is to make compliance a documented, automated outcome of day-to-day operation.

What is NIST SP800-171?

NIST SP 800-171 is a document of guidelines published by the National Institute of Standards and Technology (NIST) in 2015, with compliance required as of December 31, 2017. The purpose of the guidelines is to “ensure that sensitive federal information remains confidential when stored in nonfederal information systems and organizations.”

As a DoD contractor, you are subject to oversight and regulations that you would otherwise avoid in traditional business transactions.

Enforcement of these regulations is handled directly by the Department of Defense, making compliance absolutely mandatory.

Understanding NIST 800-171

All regulations outlined in 800-171 can be summed up in two broad categories — administrative and technical.  NIST Special Publication (SP800-171 or simply 800-171), “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations”, covers security standards and controls to provide guidance for the safeguard of controlled unclassified information (CUI) and classified defense information (CDI).

Put simply, 800-171 is a set of standards that define how to safeguard and distribute material deemed sensitive but not classified.

For some government agencies, most notably the DoD (Department of Defense), GSA (General Services Administration) and NASA (National Aeronautics and Space Administration), a revised set of rules for NIST compliances took effect on December 31, 2017, requiring anyone who works with CUI from those agencies to implement specific security measures for how they handle data and report non-compliance to the agencies CIO.

Under federal regulations, such as DFARS clause 252.204-7012, every affected company and agency is now required to assess and document their compliance in handling this info in more than a dozen areas, from the way their networks are configured, to the way any and all media is protected, to the way employees receive access to the NIST 800-171 standard.

Prior to these requirements, every agency had a unique set of rules for data handling, safeguarding and disposing of this material. These inconsistent standards posed a challenge – and a potential security concern – when information needed to be shared, especially when multiple contractors become part of the process.