Every organization should do their due diligence in protecting the sensitive data of their company and their clients. This is done through the implementation of cybersecurity practices and controls that defend against the most common and dangerous cyber threats business face today. However, many organizations also have an obligation to the federal government or suppliers to protect information deemed important to national security. Many businesses partner with the federal government to provide services or materials that bolster the nations supply chain and defense. In order to ensure contractors are trustworthy and secure, certain cybersecurity principles must be followed. Since 2017, contractors have been able to self-attest to their implementation of these controls. However, this allowed for inaccurate reporting and an overall weaker security posture. To help remedy this situation, the Department of Defense (DoD) developed the Cybersecurity Maturity Model Certification, or "CMMC".
The DoD developed the CMMC program to better secure defense contractors throughout the entirety of the Defense Industrial Base (DIB) and protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). FCI refers to information that is not intended for public release or information that is create for the federal government under contract. CUI is information or data the federal government create, stores, or transmits that is required to be safeguarded using particular controls and protocols.
The CMMC does not consist of any new rules or regulations, rather it is a mechanism for ensuring contractors are adhering to the requirements already set out for them. Specifically, CMMC is founded in the controls of NIST 800-171 rev.2 that was published in 2020. Under CMMC, many contractors will no longer be able to self-attest that they are compliant with these controls, but rather will have to undergo third-party audits conducted by a CMMC Third Party Assessment Organization (C3PAO).
The Three Levels
The CMMC model consists of three maturity levels that build on one another. These levels are divided based on the type of information contractors will be working with. The levels are as follows:
Foundational (Level 1): Contractors that work with FCI are required to meet the requirements of CMMC level 1. These include basic cybersecurity controls that are detailed in FAR 52.204-21.
Advanced (Level 2): A majority of contractors will fall under CMMC level 2. This level applies to any organization working with CUI.
Expert (Level 3): The most stringent maturity level, CMMC level 3 applies to organizations handling CUI and are targets of more advanced threats.
Many organizations may wonder whether or not CMMC applies to them. The simple answer is that if your business is contracted by the DoD, works with FCI or CUI, and in some cases supplies to prime contractors, your organization will have to comply. In many cases, subcontractors are at an increased risk of being targeted by cyber criminals due to their size and often lack of security resources. These smaller contractors may create a foothold into a large organization resulting in a greater data breach.
The CMMC rule has been in the works for several years now as it makes its way through the codifying process. With how long it has taken to finalize the rule, many organizations have decided to put off compliance and take the "wait and see approach". However, with audit dates being scheduled for November of 2024, CMMC is only a few months away from showing up in contracts.
Here is a brief explanation of where CMMC currently stands and how it got to this point:
As previously mentioned, while CMMC may be a new concept, the controls it is based off of are not. The foundation of the CMMC model is the NIST 800-171 Rev.2 framework, developed to protect and safeguard CUI and government contractors. Requirements based off of NIST 800-171 have been around since 2017, however there was no real mechanism for accountability to ensure contractors were accurately self-assessing. CMMC doesn't introduce new controls, but rather it ensures contractors are fulfilling their responsibilities. This means that defense contractors should have implemented these controls already. CMMC is the next step in making sure the national supply chain is secure. If your organization knows its SPRS score and can attest to its NIST 800-171 compliance, then you're one step ahead on your compliance pathway.
Contractors may have several questions about where to start when it comes to actually achieving CMMC compliance. The truth is that CMMC compliance can be complex, expensive, and time-consuming. For organizations that have not started their compliance journey, the average time it takes to reach total compliance is 12-18 months.
Utilizing an MSP - know as External Service Provider (ESP) under CMMC Compliance
For small organizations without a dedicated IT staff, enlisting the aid of an external service provider or MSP may be necessary. Before choosing a partner, make sure they are prepared to comply with CMMC regulations and plan to undergo a third-party assessment when the time comes. An ESP/MSP offers a number of benefits including:
CorpInfoTech, is an MSP (ESP) that offers IT, cybersecurity, and compliance solutions to SMBs across the U.S. Our services include security/risk assessments, firewall management (xDEFENSE), vulnerability management (v360), managed IT, and compliance aid. As a certified RPO (registered practitioner organization) with the CyberAB, CorpInfoTech is certified to offer our services to organizations seeking certification (OSCs) with our own audit date coming up in November 2024. By partnering with CorpInfoTech, contractors can expect to automatically comply with 200+ of the required controls associated with CMMC.
Choosing a security framework to develop your cybersecurity plan is crucial but picking the right one can also ensure compliance. CorpInfoTech utilizes the CIS Controls in all of our services to deliver greater security while also addressing compliance needs. The CIS Controls are a set of practical security domains that contain safeguards created to defend against the most common threats businesses face. The Controls were also created to align with many of the regulatory requirement's businesses face today, including CMMC. CorpInfoTech is the first organization to receive accreditation under the CIS Controls, meaning that our ability to implement the controls has been externally verified and recognized by the Center for Internet Security.
To learn more about how CorpInfoTech keeps its clients secure and compliant, contact us today!