New Defense Department CMMC Rules Put Spotlight on Cybersecurity
Learn why the Defense Department is unveiling stricter rules on cybersecurity for contractors and what impact the guidelines could have on your business
If your business is a Defense Department contractor in Fort Lauderdale or South Florida, new guidelines are going to change the requirements needed to remain in business with the federal government.
What do the new guidelines mean and how can your business prepare?
What Are the New DoD Compliance Guidelines for 2020?
After several data breaches related to federal contractors, the Defense Department announced the implementation of the Cybersecurity Maturity Model Certification (CMMC) program. It’s projected to be a standard requirement for any Requests for Proposals (RFPs) by June 2020. The CMMC mandate includes several levels of cybersecurity authorization.
The CMMC grew out of concerns on the heels of recent cyberattacks that the existing standard, NIST SP 800-171, did not provide enough documented protection of sensitive government data.
How Is CMMC Different from NIST SP 800-171?
NIST SP 800-171 requires contractors to produce two key documents. The first, a System Security Plan (SSP), is a detailed look at a contractor’s information systems, security requirements and controls in place to meet those requirements. The second is the Plan of Action and Milestones (POA&M), which lists gaps between the SSP and the NIST SP 800-171 guidelines; it’s essentially a to-do list of remediation measures.
However, DoD officials have expressed concern that the SSP and POA&M are no longer enough to combat increasingly sophisticated cyberattackers. Gone are the days when ticking off a checklist is enough evidence of being cybersecure. Contractors and subcontractors need to step up their game, officials say. Once in effect, bids will only be considered if the contractor has a certified level at or above that required for the work.
What Are the Five CMMC Levels?
NIST SP 800-171 remains the benchmark against which the levels are based. It represents the third of five possible levels and a “good” approach to cybersecurity. The five levels are:
- Level 1: Basic Cyber Hygiene. Contractors here meet the most fundamental federal regulations of protection for information systems.
- Level 2: Intermediate Cyber Hygiene. Contractors need standard operating procedures, policies and strategic plans that frame their cybersecurity program.
- Level 3: Good Cyber Hygiene. Mapping to NIST SP 800-171, this level is necessary for any contractors expecting to access Controlled Unclassified Information (CUI). CUI is information generated by or owned by a federal agency or on behalf of an agency. Such organizations demonstrate an ability to protect and sustain its own data and CUI but may be vulnerable to persistent advanced cyberthreats.
- Level 4: Proactive Cyber Hygiene. Contractors at this level have a cybersecurity program that is substantial and progressive, able to adapt activities to protect data and sustain operations, even in the wake of advanced persistent threats that switch up tactics, procedures and attack vectors.
- Level 5: Advanced and Progressive Cyber Hygiene. These contracts are the most advanced regarding cybersecurity, able to optimize security measures. The implementation of processes is operationalized throughout the organization.
The levels approach to cybersecurity is designed to allow the DoD to categorize prospective bidders on the level of security maturity achieved. It’s designed to streamline the bidding process, provide additional levels of security and assurance, and more accurately reflect a bidder’s cyber defenses.
How Are Levels Determined for CMMC?
Much like the NIST SP 800-171 standards, the CMMC will focus on achieving passing marks in different domains. The 17 domains cover the gamut of a comprehensive cybersecurity program:
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Recovery
- Risk Management
- Security Assessment
- Situational Awareness
- System and Communications Protections
- System and Information Integrity
For each domain, a contractor must demonstrate it can identify malicious content, identify and manage system flaws, monitor networks and systems, and use advanced email security.
How Can My Business Attain CMMC Compliance?
Palindrome Consulting helps businesses with advanced compliance, cybersecurity, IT assessment and data solutions. We help local businesses comply with CMMC and other regulatory mandates. To learn more about our security vulnerability assessments and services, contact us today.