If your company is a government contractor or subcontractor, you may be wondering what is going on with the Cybersecurity Maturity Model Certification (CMMC).
This week the U.S. Department of Defense (DOD) announced it is revamping the CMMC pilot program (into a new construct known as CMMC 2.0). The announcement has raised a lot of questions.
You may be trying to make sense of it all and wondering what it means for you. It can be tough to keep track of the daily and weekly developments, especially when you are juggling the million other things that demand your attention when you run a business.
As manager, information security and compliance at Kelser Corporation, a managed services provider, I follow cybersecurity developments daily. I’ll tell you what’s changed and why, how it may impact your business, the expected timeline (as of this moment), and the best steps to take while CMMC is being sorted out.
CMMC is the next generation of protection for data shared within the U.S. Defense Industrial Base (DIB). It has been developed to systematically assess and certify the maturity of an organization's cybersecurity processes and procedures.
According to the U.S. Office of the Under Secretary of Defense (OUSD) list of frequently asked questions about the update, the DoD received more than 850 public comments in response to the interim rule establishing CMMC 1.0.
Comments focused on:
According to the OUSD, CMMC 2.0 is designed “to meet these goals, which also contribute toward enhancing the cybersecurity of the defense industrial base.”
So, in general terms, as with any new process, there will be some evolution and growing pains as it is developed and implemented.
Most people in the IT community anticipated this evolution (and many expect it to continue).
The redesign removes some of the requirements in an effort to streamline and improve implementation of the CMMC program.
In the meantime, the DoD is suspending the requirement for CMMC in proposal solicitations.
Here are the differences at a glance:
|
CMMC 1.0 |
CMMC 2.0 |
|
5 Certification Levels |
3 Certification Levels (Eliminates Levels 2 and 4 of CMMC 1.0) |
|
3rd Party Assessment (for all levels) |
Some Self-Assessment & Certification Permitted (certain levels) |
|
Detailed Requirements |
Discussion Of Waivers For Certain Requirements (details to come) |
|
CMMC Unique Practices |
Eliminates CMMC Unique Practices |
The changes are designed to make the CMMC process easier, while still maintaining the ultimate objective: strengthening the cybersecurity protocols of organizations doing business with the government as either a contractor or subcontractor.
CMMC 2.0 still needs to undergo a 9- to 24-month rulemaking process before it will be implemented (and ultimately required) by contract.
The changes should make it easier and less expensive for companies to implement and monitor.
Earlier this year, the White House issued an Executive Order aimed at improving the nation’s cybersecurity stance.
Most IT professionals agree that CMMC may continue to evolve, but it is not going away.
Currently, the timing of incorporating CMMC 2.0 as a contractual requirement looks to be at least a couple of years away.
Keep monitoring the situation and get your “cybersecurity” house in order. It’s absolutely important for companies to start doing things now.
Here are 7 things to focus on:
By proactively implementing NIST 800-171 if you haven’t already, you will be in a much better position when CMMC becomes a contractual requirement. NIST 800-171 provides a solid cybersecurity framework to not only protect your company and customer data, but also to prepare you for the requirements of CMMC (version X.0).
There will likely be other changes, but NIST 800-171 is a good cybersecurity baseline to have in place and will make it easier to adapt to the additional requirements of CMMC when it is rolled out.
When it comes to cybersecurity, employees are an important line of defense, but they can only help if they know what to do! Make it a priority to provide effective cybersecurity training for all employees.
Know who is accessing your data and when. Proactive monitoring can detect patterns of behavior and identify issues before they get too far along.
Make sure that the person signing in to your infrastructure is really the person you think it is. Multi-factor authentication provides an extra level of security and identification and, in many cases, it is already part of your current software offerings; all you need to do is turn it on!
Make it hard for cybercriminals to access your information. Your physical security is as important as your cybersecurity; make sure both are up to snuff.
Make sure updates and patches are installed in a timely manner to protect your systems and networks as well as your individual devices.
Employees can only be responsible for policies and procedures if they exist. Cybersecurity procedures in particular take time to document and communicate. Changing behavior takes time.
When it comes to cybersecurity plans, the best time to start is yesterday. Being proactive is key to keeping your organization’s information safe.
You may be feeling overwhelmed with all of the requirements of cybersecurity. Although it’s not right for every business, an MSP can often be a cost-effective solution for small- to medium-sized businesses (SMBs) that don’t have the budget to hire a full-time, on-site IT staff.
If you want to focus on running your company without the added stress of worrying about your IT infrastructure, an IT MSP partner can help.
Kelser Corporation has been partnering with small and medium-size businesses for decades. If you’d like to learn more about how we can help you make sense of CMMC or any other IT issues,
In the meantime, we’ll stay on top of developing news on CMMC and publish updates as the details emerge. Stay tuned!