New Defense Department CMMC Rules Put Spotlight on Cybersecurity

Learn why the Defense Department is unveiling stricter rules on cybersecurity for contractors and what impact the guidelines could have on your business  

If your business is a Defense Department contractor in Fort Lauderdale or South Florida, new guidelines are going to change the requirements needed to remain in business with the federal government.

What do the new guidelines mean and how can your business prepare?

What Are the New DoD Compliance Guidelines for 2020?

After several data breaches related to federal contractors, the Defense Department announced the implementation of the Cybersecurity Maturity Model Certification (CMMC) program. It’s projected to be a standard requirement for any Requests for Proposals (RFPs) by June 2020. The CMMC mandate includes several levels of cybersecurity authorization.

The CMMC grew out of concerns on the heels of recent cyberattacks that the existing standard, NIST SP 800-171, did not provide enough documented protection of sensitive government data.

How Is CMMC Different from NIST SP 800-171?

NIST SP 800-171 requires contractors to produce two key documents. The first, a System Security Plan (SSP), is a detailed look at a contractor’s information systems, security requirements and controls in place to meet those requirements. The second is the Plan of Action and Milestones (POA&M), which lists gaps between the SSP and the NIST SP 800-171 guidelines; it’s essentially a to-do list of remediation measures.

However, DoD officials have expressed concern that the SSP and POA&M are no longer enough to combat increasingly sophisticated cyberattackers. Gone are the days when ticking off a checklist is enough evidence of being cybersecure. Contractors and subcontractors need to step up their game, officials say. Once in effect, bids will only be considered if the contractor has a certified level at or above that required for the work.

What Are the Five CMMC Levels?

NIST SP 800-171 remains the benchmark against which the levels are based. It represents the third of five possible levels and a “good” approach to cybersecurity. The five levels are:

  • Level 1: Basic Cyber Hygiene. Contractors here meet the most fundamental federal regulations of protection for information systems.
  • Level 2: Intermediate Cyber Hygiene. Contractors need standard operating procedures, policies and strategic plans that frame their cybersecurity program.
  • Level 3: Good Cyber Hygiene. Mapping to NIST SP 800-171, this level is necessary for any contractors expecting to access Controlled Unclassified Information (CUI). CUI is information generated by or owned by a federal agency or on behalf of an agency. Such organizations demonstrate an ability to protect and sustain its own data and CUI but may be vulnerable to persistent advanced cyberthreats.
  • Level 4: Proactive Cyber Hygiene. Contractors at this level have a cybersecurity program that is substantial and progressive, able to adapt activities to protect data and sustain operations, even in the wake of advanced persistent threats that switch up tactics, procedures and attack vectors.
  • Level 5: Advanced and Progressive Cyber Hygiene. These contracts are the most advanced regarding cybersecurity, able to optimize security measures. The implementation of processes is operationalized throughout the organization.

The levels approach to cybersecurity is designed to allow the DoD to categorize prospective bidders on the level of security maturity achieved. It’s designed to streamline the bidding process, provide additional levels of security and assurance, and more accurately reflect a bidder’s cyber defenses.

How Are Levels Determined for CMMC?

Much like the NIST SP 800-171 standards, the CMMC will focus on achieving passing marks in different domains. The 17 domains cover the gamut of a comprehensive cybersecurity program:

  • Access Control
  • Asset Management
  • Audit and Accountability
  • Awareness and Training
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Recovery
  • Risk Management
  • Security Assessment
  • Situational Awareness
  • System and Communications Protections
  • System and Information Integrity

For each domain, a contractor must demonstrate it can identify malicious content, identify and manage system flaws, monitor networks and systems, and use advanced email security.

How Can My Business Attain CMMC Compliance?

Palindrome Consulting helps businesses with advanced compliance, cybersecurity, IT assessment and data solutions. We help local businesses comply with CMMC and other regulatory mandates. To learn more about our security vulnerability assessments and services, contact us today.

Know Someone Suffering From Bad IT Support?

Palindrome Consulting Wants To Help!

Palindrome Consulting
4.9
Based on 12 reviews
powered by Google
Elizabeth Mitrani
Elizabeth Mitrani
17:23 06 Aug 19
Palindrome Consulting was key in establishing my business and helps me keep it running. They are the consummate... professionals, incredibly knowledgeable and are always available to help. They have gone above and beyond to ensure that I was up and running quickly and that any issues that may arise on my end or dealt with immediately. I highly recommend Palindrome Consulting.read more
Moshe Rubinstein
Moshe Rubinstein
14:57 28 Jun 19
They are there every step of the way. Responsive and timely. The full service mentality mixed with the problem solving... abilities, is what makes them an easy choice.read more
Benjamin Wainberg
Benjamin Wainberg
14:09 28 Jun 19
Palindrome Consulting is customer centric. For Palindrome Data Safety is paramount; they keep their and our systems... updated with the newest technologies and are not shy at changing to better alternatives. Their platforms are always running and in the odd case there is an event, their technical team has an awesome response time.read more
Copier Man
Copier Man
13:56 28 Jun 19
We have been using Palindrome since 2005. They make my company feel like we are #1 all the time. Expert staff are... always available to help all my users all around the country.read more
Nelson T
Nelson T
20:32 25 Jun 19
Palindrome Consulting has proven itself time and time again to be the epitome of professionalism and technical... expertise. They take the time to listen to your needs and then apply their wealth of technical knowledge to create truly innovative and robust solutions. They truly deliver piece of mind.read more
Next Reviews