Update: CMMC 2.0 has been released. While much of this content is still relevant, look for an updated article soon outlining the differences!
With all the talk surrounding CMMC, it is a safe bet that many organizations are feeling confused and overwhelmed regarding all these new terms, compliance frameworks, and standards; and if they will affect your ability to do business with the government, moreover, to be awarded new DoD contracts as either a prime contractor or subcontractor.
The DoD is issuing interim rules and clauses to amend the Defense Federal Acquisition Regulation Supplements (DFARS) to implement DoD Assessment Methodology and CMMC (Cybersecurity Maturity Model Certification) frameworks and standards in order to assess contractor implementation of cybersecurity requirements and enhance the protection of controlled unclassified information within the DoD supply chain.
In order to be considered for award, if the Offeror is required to implement NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations), the Offeror shall have a current assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.
What Organizations Are Affected by CMMC?
If your organization works with Controlled Unclassified Information (CUI) and/or if your organization operates anywhere in the DoD supply chain, you likely require some form of interim DFARS and ultimately CMMC compliance to remain viable as a vendor. It is likely that over 300,000 organizations will be affected by the CMMC compliance & certification requirement. Your organization may be required to meet these cybersecurity guidelines by 2025 in order to bid on contracts requiring CMMC certification.
CMMC compliance will be applicable to any organization with relevant information (CUI) regarding the Defense Industrial Base (DIB) on nonfederal systems. If your organization is a DoD contractor or subcontractor, the requirements on proposals will begin to change starting in 2021. By 2025, the “final” rollout is expected to be completed with a large array of proposals requiring specific CMMC compliance levels. In general, it is believed that most organizations with any CUI will be required to comply with CMMC Maturity Level 3. Please note that, as of the time of publishing this article, there is very limited official information or certified resources for obtaining and performing formal CMMC assessments and actual certifications. All auditors are currently in the training/setup phases, but evaluations are expected to open in the coming months.
What Should My Organization Be Doing About CMMC Right Now?
DFARS Readiness – DFARS 252.204-7012 is the initial requirement for Safeguarding Covered Defense Information and Cyber Incident Reporting, and DFARS 252.204-7019 addresses NIST SP 800-171 DoD Assessment Requirements. An assisted self-assessment and a Scarlett-led cybersecurity framework assessment can ensure your current policies, controls, and system security plan align with NIST 800-171 and will greatly ease the CMMC transition.
NIST SP 800-171 & CMMC Gap Analysis – CMMC (DFARS 252.204-7021) is a major improvement on the way most organizations do security. In order to meet the most common level or requirement, CMMC Maturity Level 3, enhanced security practices will be required for a majority of the 300,000 affected organizations. A gap analysis is a great way to get an estimate on required services and align your security before the deadline arrives.
What Domains Does CMMC Cover?
- Access Control
- Asset Management
- Audit & Accountability
- Awareness & Training
- Configuration Management
- Identification & Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Management
- Security Assessment
- Situational Awareness
- System & Communications Protection
- System & Information Integrity
Recommended Steps to CMMC Readiness
- Scope: In this phase, our teams need to determine the scope and scale of the current CUI usage, identification, storage, and movement within your organization. As a quick refresher, CUI is essentially any information that the government owns or is created on behalf of the government, that is shared with organizations under the pretense that they will safeguard the data. CUI now requires very specific (auditable) controls, and CMMC will most likely impact how your organization stores, classifies, and protects this data. It is urgent that organizations undertake a self-assessed or external engagement in order to properly identify aspects such as required CMMC level, affected systems, and stakeholders.
- Assess: After determining the scope and impact of the NIST Frameworks and CMMC regulations, organizations should take a look at their current security posture and system security plan in an objective manner. Generally, this would mean hiring a third-party cybersecurity assessor to perform an evaluation of current cybersecurity risk, policies, controls, procedures, monitoring, and reporting capability, along with their associated gaps and findings. If CMMC Level 3 is desired (the most common CMMC Maturity Level), this cybersecurity assessment (or “Gap Analysis”) would highlight the elements that are at risk or are missing relative to requirements. The Scarlett Group has developed a custom CMMC Gap Analysis, with the objective of evaluating an organization's current CMMC gaps in regard to the 17 CMMC Domains.
- Protect: This phase is both simple and complex. It’s simple because, if the job was done right, there will be a blueprint of missing cybersecurity controls in regard to CMMC requirements from the previous phase. It’s complex because of the requirement for radical cybersecurity overhauls in many situations. After assessing your organization's gaps, your team or a third-party consultant team will work to identify the required cybersecurity services, governance solutions, and plans of action and milestones to achieve compliance.
- Manage: Reaching CMMC Compliance is not a one-time event - these frameworks and controls require management and maintenance by dedicated cybersecurity managers and professionals to ensure continuous monitoring, automated controls with key indicators, and an ongoing balance between performance and conformance.
The Scarlett Advantage
The Scarlett Group is here to help your organization align with NIST SP 800-171 and Cybersecurity Maturity Model Certification (CMMC) frameworks, standards, controls, and incident response requirements set out by the United States Department of Defense (DoD). A great first step is our DFARS readiness service. DFARS is an effective foundation that can be built into an expansion into CMMC Maturity Level 3. A CMMC Gap Analysis, led by our certified IT Systems, Governance, Risk, and Control auditors, will evaluate your organization with regard to the 17 CMMC domains. Our team will work with yours to provide detailed reporting on gaps within the security ecosystem and help provide fully customized gap analysis and solution integration, priorities, and roadmaps to success. CMMC is a very real improvement on the nation’s cybersecurity posture, but many organizations may be caught unaware if they don’t pay attention over the next few years. CMMC compliance requirements will be here sooner rather than later and cannot simply be implemented overnight. Please refer to our primary source reference for this article for more information: https://www.acq.osd.mil/cmmc/faq.html. Contact our team today for a consultation and stay ahead of the curve when it comes to compliance.
CMMC Compliance Page: https://www.scarlettculture.com/CMMC
DFARS and NIST 800-171: https://www.scarlettculture.com/it-consulting/compliance/nist-800-171-and-dfars