The Cybersecurity Maturity Model Certification (CMMC), created by the U.S. Department of Defense (DoD), aims to strengthen cybersecurity in the supply chain of the Defense Industrial Base. It impacts all companies conducting business with the DoD by mandating contractors to be CMMC certified and seeks to put an end to the “checking the box” mentality.
Officially launched on January 31, 2020, the CMMC builds upon the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) frameworks by requiring every contractor to be audited and certified by a third party auditor (3PAO).
The goal is to prevent the loss of controlled unclassified information (CUI) – think legal, financial, tax, immigration, critical information, amongst others.
What hasn’t changed: You are Still responsible for cybersecurity
Contractors have been responsible for implementing, monitoring and certifying the security of their information technology systems and any sensitive DoD information stored on or transmitted by those systems.
What HAS changed: You will be audited
CMMC now requires third-party assessments of contractors' compliance with certain mandatory practices, procedures and capabilities that can adapt to new and evolving cyber threats from adversaries.
CMMC Framework and Nist SP 800-171
The CMMC framework covers five certification levels and are tiered and build upon each other's technical requirements.
CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 rev1. However, unlike NIST SP 800-171, the CMMC model possesses five levels. Each level consists of practices and processes as well as those specified in lower levels. The CMMC will also assess the company’s institutionalization of cybersecurity processes.
The DoD is building on and strengthening, not abandoning, NIST 800-171. While the specific maturity levels for individual contracts have not been determined, it’s understood that implementing the NIST 800-171 security requirements is the best way to prepare for CMMC.
Using NIST to Prepare
As a first step towards compliance, and as many wait to see how the next few months unfold, contracts can use the NIST security controls as guidelines for fundamentally strengthening their information systems and the environments and on what controls to implement. These guidelines are widely adopted standards for many organizations to align their cybersecurity programs.
NIST 800-171 provides organizations with a related set of security controls to protect controlled unclassified information in Nonfederal Information Systems and Organizations. The publication provides a checklist for protection on controlled unclassified information when handled, stored, or transferred by third-parties such as federal contractors and others.
Cygilant Helps with NIST Compliance
Cygilant has helped companies comply with NIST for years. Our Cybersecurity Advisors can help contractors address NIST 800-171 security controls, including Audit and Accountability (AU), Incident Response (IR), and System and Information Integrity (SI).
Our platform of services provides security monitoring and a 24x7 SOC that collects and normalizes auditable log and event data, and alerts on incidents with reporting capabilities consistent with the NIST requirements. We implement incident response workflows and ticketing capabilities to enable proper incident response procedures and documentation.
Cygilant SOCVue Vulnerability and Patch Management service provides vulnerability management designed to help address NIST controls for Vulnerability Scanning and Risk Assessment. The service provides vulnerability scanning for internal systems and external-facing IP addresses. Vulnerabilities are prioritized based on risk level and exploitability. The solution provides remediation workflow and ticketing for tracking and reporting. Our integrated patch management provides automated remediation with change controls.
An Affordable Approach to CMMC Compliance
We are cybersecurity and compliance experts. We demonstrate compliance regularly for our client’s in highly regulated industries. CMMC compliance shouldn’t be scary. It requires careful consideration and execution to help prevent the loss of controlled unclassified information. Cygilant can help as you work to achieve your compliance requirements.