CMMC 2.0 and CIS-18 likely have many DOD Contractors within the Defense Industrial Base (DIB) feeling a big confused. It’s no news that reaching or maintaining CMMC compliance with key cybersecurity regulations has many business leaders feeling the pressure that comes with keeping up with the latest updates and requirements and ensuring their business is cyber-reliable to protect major contracts and business vitality.
The Cybersecurity Maturity Model Certification (CMMC) was introduced by the US Department of Defense (DoD) as a way for the DoD to determine if an organization has the necessary cyber defense level to work with and control sensitive data. Many are aware of how CMMC aligns with standards as outlined by the National Institute of Standards and Technology (NIST). And, most DIB business leaders are aware of the importance of CMMC compliance and its impact on their company. But, it is common for those that don’t practice cybersecurity for a living to feel uncertain about how to get started or keep up with what can feel like ever-changing cybersecurity requirements. Hopefully, this article will help clear away any confusion.
So, What’s the Latest on CMMC for the Defense Industrial Base (DIB)?
Cyberdefense requirements were updated to CMMC 2.0 as of November 2021 to include a set of standards for protecting the DIB. The update includes several levels of protection, such as:
- A framework for protecting sensitive information
- Adjustments to requirements that make it easier for businesses to comply with the CMMC
- Increased accountability measures to ensure businesses both reach and maintain compliance.
- The introduction of an annual self-assessment for Level 1 and a subset of Level 2, and affirmation requirement against the existing basic cyber hygiene requirements.
CMMC 2.0 is Structured With Three Levels of Security Requirements for DOD Risk Management:
- “Foundational” CMMC’s Level 1 is the entry-level and includes 17 practices that must be met. It mandates an annual self-assessment.
- “Advance” CMMC’s Level 2 includes 110 practices (controls) that are in line with NIST SP 800-171 Rev 2 required by DFARS 7012 required to protect Controlled Unclassified Information (CUI), which is information that the government creates or is in control of and that needs to be regulated and safeguarded in order to be disseminated. Level 2 companies must undergo “triennial third-party assessments for critical national security information” and “annual self-assessment[s] for select programs” (Acquisition & Sustainment Office of the Under Secretary of Defense)
- “Expert” CMMC Level 3 – is the highest level that requires the 110 practices (controls) from NIST 800-171 and a subset of practices (controls) from NIST SP 800-172 to be met. It mandates “triennial government-led assessments.”
Keeping up with updates in CMMC compliance requires businesses to adapt on a defined timeline. Business leaders need to keep up with the latest regulations, requirements, and compliance strategies for their most efficient and effective compliance journey.
CIS-18 and DFARS NIST 800-171 Work Together, Making CMMC 2.0 Compliance More Accessible
CIS Critical Security Controls v8 can supplement the Cybersecurity Maturity Model Certification (CMMC) levels to simplify meeting CMMC requirements. They also align with the intention behind CIS benchmarks which focus on assisting organizations in solidifying the security of their digital assets through a set of configuration standards and best practices. Even though CIS-18 is not a regulatory requirement, the majority of well-known compliance frameworks cite CIS benchmarks as the industry standard, making them a great way to meet both security and compliance goals.
CMMC 2.0 and CIS-18 Deliver a Clear Cybersecurity Framework and Benefits for Small Businesses
It’s no news to defense contractors that CMMC Compliance can be a major burden. So, what’s the bright side to all these updates? And what perks do they offer for small businesses that previously may have been considering moving away from defense work?
- Lower cost of assessment: Level 1 companies are allowed to self-assess, reducing previously anticipated costs of third-party assessments.
- Level 2 companies, depending on the priority of the acquisition will be required to perform a yearly self-assessment or a triennial third party assessment
- Reduced Barriers to Compliance: CMMC v2 now allows for some items to be present on a POAM at time of certification. Those items must be remediated within 180 days from time of assessment. Previously, all practices were required to be implemented at the time of assessment.
- Increased Oversight of Assessors: Third-party assessors are now held to more stringent standards as the Department of Defense (DoD) works to build trust.
MAD TIP: Two Common CMMC Mistakes for DIB Companies to Avoid
CMMC Mistake #1: Assuming your in-house IT department can handle compliance implementation and the ongoing controls that come with sustaining CMMC
First, your staff must be rigorously trained and tested to handle CMMC in-house. However, the complexity of the requirements alone leaves much to be executed inefficiently and ineffectively, ultimately making it more efficient and cost-effective for most companies to rely on expert third parties rather than undergo all these operations by themselves.
Many RPOs like MAD Security frequently see companies attempt in-house compliance only to reach out for help after several months (or years) of lost time as they continuously hit roadblocks internally. It is also common for companies to reach a state of panic after experiencing the turnover of a key employee that held all or most of the required in-house expertise. Simply from a business continuity perspective having a dependable third-party Managed Security Service Provider that is also a CMMC RPO engaged can decrease risk.
CMMC Mistake #2: Thinking the same provider can serve as your CMMC Register Provider Organization (RPOs) and Certified CMMC Third-Party Assessor (C3PAO) Organization
Many businesses assume that a single Certified Third-Party Assessor Organization (C3PAO) can provide all the guidance, advice, and support you need in your compliance journey and perform the official third-party assessment required by CMMC. Don’t be fooled! While a CMMC C3PAO must perform the official third-party assessment, this same CMMC C3PAO cannot provide guidance, advice, or consulting services for you on your compliance journey, as it is considered a conflict of interest. CMMC Register Provider Organizations like MAD Security avoid all possible conflict of interest concerns and are designed to provide guidance and advice, support you on your compliance journey, and assesses and consult on your cybersecurity gaps in preparation for your official third-party assessment.
Tackle CMMC Certification and Compliance As a Competitive Advantage
For many organizations, compliance and a cybersecurity program feels easy to write off as another business cost that they would prefer to skip. However, meeting cybersecurity requirements can turn into a differentiator that can add value to your business, especially as turnover increases amongst the DIB. Additionally, as cyber protection becomes the norm across more and more industries, your organization is best positioned to maintain competitiveness into the future.
Taking the Pain Out of CMMC Compliance and Cybersecurity for Defense Companies
Cybersecurity is an essential part of any company’s operations. However, staying up to date with the latest defense regulations and compliance strategies can be challenging for many business leaders. If you want to make sure your business is both compliant and cyber resilient, you need a team of experts on your side to create an actionable plan to help you mitigate any risks.
At MAD Security, we have developed comprehensive cyber risk and CMMC compliance solutions that make it easier on you – and less stressful. We can help you assess your cyber risks and create the best solutions that fit your needs and budget. We don’t just check the boxes but undertake an in-depth assessment that will touch every aspect of your business. This way, we make sure that we set a sound foundation that will help your business not only be compliant, but also safe and competitive.
Get in touch with MAD Security now to take the pain out of your CMMC journey or get it started with an initial CMMC Assessment to identify the gaps between you and reaching a state of CMMC compliance.
Resources:
- Securing the Defense Industrial Base – CMMC 2.0 from The Acquisition & Sustainment Office of the Under Secretary of Defense
- Strategic Direction for Cybersecurity Maturity Model Certification (CMMC) Program