Our industry has been preparing for the Cybersecurity Maturity Model Certification (CMMC) for more than a year, and it is important that everyone supporting the defense mission understands what it is and how it will impact businesses and operations. CMMC is a new requirement for federal contractors doing business with the Department of Defense (DoD). This DoD certification, which is slated to go into effect in the next four years, ensures all non-federal information systems meet DFARS requirements for processing and storing Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). CMMC will require a third-party auditor to certify Defense Industrial Base (DIB) systems that process and store CUI or FCI. Leveraging managed service capabilities like Applied Insight’s Altitude™ is a great option to consider when planning your CMMC compliance roadmap.
Why the change?
As adversary capabilities and insider threats become more sophisticated, protecting information systems critical to national defense and economic security has evolved into a complex endeavor. With myriad policies, standards, frameworks and contractual requirements, accrediting these systems to process and store sensitive information is no small feat. The time and resources required to complete the assessment and authorization process are usually measured in months, increasing operational risk and decreasing the appetite for deploying innovative solutions. This is equally true for both federal and non-federal information systems. Many companies within the Defense Industrial Base invest time and resources to ensure compliance with applicable DoD guidance. However, this guidance is often disparate and sometimes vague, leading to inconsistent standards being applied across the DIB. Ultimately, this leads to decreased situational awareness and decreased confidence when assessing operational risk. Recognizing these challenges and the need for a more consistent approach to accrediting non-federal information systems, the DoD developed the CMMC.
What is the CMMC program?
The CMMC program, managed by the Office of the Under Secretary of Defense for Acquisition and Sustainment, was created in response to the continued targeting and exploitation of non-federal information systems by malicious cyber actors. The goal of CMMC is to protect CUI and FCI that resides on non-federal information systems. Once implemented, DFARS will require all DoD service providers and vendors to achieve certification through an approved, third-party assessor, creating a framework for consistent application of information security controls across the DIB.
How does this differ from existing information assurance frameworks?
Currently, DFARS requirements have mandated compliance with National Institute of Standards and Technology (NIST) Special Publication 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations). If correctly implemented and maintained, NIST guidance can be an effective way to ensure DIB information systems adequately protect CUI and FCI. The challenge is that the current DFARS requirements allow for self-assessment and attestation, without independent verification that appropriate standards have been achieved. CMMC will require a third-party assessment of DIB information systems to ensure appropriate controls are in place to protect CUI and FCI.
How can your organization prepare for CMMC?
Although the final CMMC standards have not yet been published, members of the DIB can be proactive in preparing for this requirement. As with any complex organizational change, having a plan is crucial to success. There are several steps you can take to be ready:
- Make sure your organization understands its current cybersecurity posture. Use existing cybersecurity frameworks like NIST 800-171 to complete an internal compliance self-assessment. This can help provide the situational awareness required to quickly pivot to supporting CMMC requirements when implemented.
- Update your current security documentation, paying attention to the bodies of evidence required for standard DoD A&A processes. Chances are that the requirements for CMMC will be like existing requirements, meaning you can leverage existing materials in the CMMC process.
- Appoint a CMMC subject matter expert for your organization. This person should stay up to date on applicable guidance from DoD acquisitions organizations, published CMMC documentation, and other guidance from the Under Secretary of Defense for Acquisitions and Sustainment and the CMMC accreditation body.
- Consider transferring operational risk. Cloud-based managed services are a great example of turnkey solutions that can provide CMMC compliance from day one. If your organization has been considering moving workloads to the cloud, this could be the perfect time to do so.
Readiness for CMMC is essential for any company doing business with the DoD. Using advanced automation and industry–leading governance solutions, Altitude™ helps your organization realize the efficiencies of multi-cloud usage while providing continuous compliance accompanied by a body of evidence that will accelerate the CMMC process.
Christopher Smith is Director of Engineering for Altitude™ at Applied Insight, a market leader in solving complex technology challenges for federal government customers.