The United States Department of Defense (DoD) possesses what is probably the largest supply chain in the world. The DoD works with thousands of contractors and sub-contractors that can pose an enormous cyber risk to national defense. In fact, cybersecurity lapses among DoD contractors allow hostile nations and cybercriminals to steal and expose sensitive information not meant for public eyes.
Sadly, cyberattacks on contractors continue because the DoD can't effectively monitor the cybersecurity risks in its supply chain. As a result, a supplier of various major defense contractors which includes Boeing, SpaceX, Visser Precision Manufacturing, General Dynamics, and Lockheed Martin was hit by a ransomware attack. Some documents stolen from Visser Precision Manufacturing have been showing up online. The cyberattack is the type of incident the Pentagon wants to prevent with the Cybersecurity Maturity Model Certification (CMMC) framework.
In order to truly understand what CMMC 2.0 compliance is, we have to look at the purpose behind its conception. The CMMC model was designed specifically for small- and medium-sized contractors and uses three certification levels that show the maturity and effectiveness of a contractor's cybersecurity program to protect important government information. The purpose of the CMMC 2.0 is to hold suppliers and contractors accountable for their cybersecurity postures before signing any contract with the DoD.
The DoD decides what certification level a specific contractor needs. A contractor then needs to meet certain requirements to be certified for a specific level. Also, self-certification is no longer an option. Contractors must now work with a certified third-party assessor organization (C3PAO) to be level certified.
All prime contractors and subcontractors working for the DoD must be CMMC 2.0 certified. Contractors without a valid CMMC certification can be barred from bidding on a government contract.
Controlled Unclassified Information (CUI) is information created or owned by the government that contractors can handle using safeguarding and dissemination controls as required by regulations, laws, and government-wide policies. In other words, CUI is information that needs to be protected from the public, but not sensitive enough that contractors should have high-level security clearance to work with it. Federal Contract Information (FCI) on the other hand, is information that is not intended to be released to the public.
The National Institute of Standards and Technology Special Publication 800-171 (NIST 800-171) is a set of standards outlining how to protect and distribute CUI. The goal of NIST 800-171 is to ensure unclassified information not part of federal organizations and information systems are consistent and properly protected.
Being CMMC 2.0 compliant is different from being NIST 800-171 compliant. The CMMC framework focuses solely on CUI controls, NIST 800-171 on the other hand, also includes Non-Federal Organization (NFO) controls. Despite their differences, your company needs to comply with both standards.
Here are steps your company should take to prepare for a CMMC audit and achieve compliance.
The first step you need to take is to indicate your company’s CUI environment. This is a controlled environment where CUI is stored, processed, and transmitted. It's important to know what the CUI environment is because it defines the processes, services, and systems in scope for NIST 800-171. If you're not sure what your CUI is, you can ask for assistance from your contracting officer.
Next, you must identify which controls apply to your CUI environment from 62 NFO and 110 CUI controls.
Identify all applicable contracts, regulations, laws, and requirements your company should comply with and create policies and processes that will help you meet and manage those requirements. These policies must be concise and directly align with your company's compliance requirements.
This is the step where your technology, processes, and people come together to operationalize your privacy and cybersecurity program. It implements the exact requirement for compliance and brings your policies to life. This step requires you to identify teams responsible for specific CUI controls and to define their roles and responsibilities to ensure requirements are properly implemented.
Create a Plan of Action & Milestone (POA&M) and a System Security Plan (SSP) to document the changes that affect your CUI environment. These two documents are important because:
Also, a CMMC 2.0 auditor needs your SSP and POA&M to properly assess your CUI environment. These documents are also required for NIST 800-171 compliance. If your company lacks these documents, you risk non-compliance penalties.
There are various methodologies available your organization can use to manage risk. There are risk models from ISO 31010, FAIR, OCTAVE, and NIST 800-171 that assess how effective controls are implemented and how much risk is reduced based on the control's level of maturity. However, there's no perfect risk methodology, and you should choose one that best supports your company's functions.
It's even possible to use different risk methodologies for operational, strategic, and tactical risk decisions because each has its own strengths and weaknesses. The goal of this step is to allow your company to define and achieve a level of optimal risk-taking.
Gathering metrics gives you a snapshot of a control's performance and helps you identify areas for improvement. You can do this by defining key risk indicators (KRIs) and key performance indicators (KPIs) to gain insight into the controls vital to your organization.
The next step is to take a gap assessment before the actual CMMC 2.0 audit. A gap assessment for Charles IT will identify potential danger spots and weaknesses in your IT infrastructure. We will then provide you with a remediation plan to address those weaknesses, ensuring a straight path to CMMC 2.0 and DFARS compliance. Start your gap assessment now!
Editor's Note: This blog was originally published on August 7, 2020. It was edited for accuracy on August 1, 2023.