Cyber Security Maturity Model Certification Services
On January 31st, 2020, The United States Department of Defense (DoD) released the Cyber Security Maturity Model Certification (CMMC), which is a unified standard for implementing cybersecurity across the defense industrial base (DIB). It will affect over 300,000 companies in the U.S. DoD supply chain. This new standard was created in response to the significant compromises of sensitive information on contractors’ information systems.
While these new cybersecurity requirements can be intimidating to businesses who may not understand why or how they can become CMMC compliant, the trusted team of IT Specialists at Blue Jean Networks can help. We have dedicated a lot of time and resources to ensure our IT team knows the ins and outs of CMMC and how we can help your business get ready for its certification assessment. No matter what level of CMMC certification you are trying to achieve to be able to meet your contract requirements, we can help make it happen. Here is more information on CMMC and why you should be getting your business ready.
Why Does My Business Need to Worry About CMMC Compliance and Certification?
If your business works as a contractor or as part of the supply chain for any of the defense industrial base supply chain (DIB), then your business will need to have CMMC certification in order to bid on projects. In short, if your business does not become CMMC certified for the level being asked for on the project, then your business will not be able to bid, which can result in a significant loss of sales for your business.
Why Does CMMC Matter for DoD Contractors?
Before the implementation of CMMC, contractors were responsible for implementing, monitoring, and certifying the security of information on their technology systems. This includes certifying the security of any sensitive DoD information that was stored or transmitted by their technology systems.
While contractors are still responsible for ensuring that they are implementing proper critical cybersecurity requirements, the new CMMC guidelines require all companies in the defense industrial base supply chain to become certified through a third-party assessment. This ensures that all contractors working with the defense industrial base are compliant with the mandatory cybersecurity practices and procedures, and that their cybersecurity is able to adapt to new and evolving cyber threats.
All DoD contractors should take steps to learn and understand the CMMC’s technical requirements and prepare for certification as well as come up with a long-term cybersecurity plan.
What Is the CMMC Framework?
CMMC establishes five certification levels that are geared to show a company’s maturity and reliability concerning their cybersecurity to help safeguard sensitive information that may be found on a contractors’ information systems. Each level builds on the previous one, and requires compliance with the lower level. These levels are stronger and have a higher chance of giving your business a better certification if additional cybersecurity measures are taken to boost protection.
The Levels of CMMC
Level 1: A company must perform “basic cybersecurity practices” such as using antivirus software and ensuring employees change their passwords regularly. This should be done to protect Federal Contract Information (FCI).
Note: It is important to remember that FCI information is not intended for public release or use. It is provided by or generated for the government under contract to develop or deliver a product or service to the government.
Level 2: A company must keep documentation of intermediate cybersecurity practices to protect any Controlled Unclassified Information (CUI) through the implementation of some of the United States Department of Commerce National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 Revision 2 security requirements.
Level 3: A company must have an institutionalized management plan to put into effect good cybersecurity practices to safeguard CUI. This means using all of the United States Department of Commercial National Institute of Standards and Technology’s special Publication 800-171 Revision 2 security requirements, along with additional standards as needed.
Level 4: A company must have implemented a process to review and measure the effectiveness of the aforementioned practices. They must also establish additional enhanced practices to detect and respond to changing tactics and techniques of advanced persistent threats (APT).
What is an APT?
An advanced persistent threat (APT) is defined as an adversary that possesses sophisticated levels of expertise and significant resources to create opportunities to achieve its objective (often to steal sensitive information) by using multiple attack vectors/strategies.
Level 5: A company must have standardized and optimized processes established across the organization along with additional enhanced practices that provide more sophisticated capabilities to detect and respond to advanced persistent threats.
What Businesses Need to Be CMMC Certified?
CMMC applies to defense industrial base businesses and their contractors who have unclassified networks that process, store, or transit FCI (Federally Controlled Information) or Controlled Unclassified Information. This includes small businesses and foreign suppliers who may not be working directly with the DoD but who may provide a service or product to a contractor that is.
What Level Of CMMC Certification Should My Business Be At?
The DoD statistics state that the majority of the DIB will be made up of contractors who are able to meet at least a level 3 CMMC certification. This will help ensure the protection of controlled unclassified information.
Smaller subcontractors who are just selling parts or renting out equipment to the main contractor may be able to get by with just a level 1 CMMC certification, but you should always check with your contract to make sure your business is meeting the right cybersecurity requirements in order to take on the job.
What Can My Business Do to Ensure It Is Ready for CMMC Certification and Assessment?
There are several steps businesses can take to ensure that they are able to meet the new CMMC Certification requirements. Here is a quick run down of actions your business should start taking now to make the transition easier:
Start Preparing Now: Make sure you are clearly documenting all of your cybersecurity practices and procedures. Also, make sure that your employees understand and are able to adapt to the implementation of new procedures and practices should your business need to obtain a higher certification level.
Engage With Other Agencies to Learn Their Practices: A business cannot become CMMC compliant unless they are working with a business that is. Blue Jean Networks can help you get your cybersecurity practices up to date with the newest requirements from CMMC and get you certified to the level that you need.
Keep Up With the Development of Assessment Challenges: Many contractors are concerned, and for good reason, about what happens should a certification level or audit result is erroneous. This concern comes from the fact that the CMMC assessment has a significant impact on a business’s ability to meet the contract requirements and a low CMMC rating could limit a contractor’s ability to obtain work.
While there is no set due process to appeal a poor certification level or audit result, the DoD does claim that one is coming. It is important to keep track of any feedback from the auditor and provide feedback to the DoD on any proposed due process procedures to help ensure that the process is adequate.
Make Sure Your Cybersecurity Process Is Flexible: When it comes to cybersecurity, there is no such thing as complete. The CMMC certification requirements will at one point become a minimum as the world of cyber threats changes.
The DOD has already emphasized the fact that the new CMMC certification is the starting point to helping transform a contractor’s internal cybersecurity culture to focus on preparing for evolving threats. This idea should create a culture of cyber resiliency and flexibility within your business. Keeping this in mind should help you better compete on the market for contractors and reduce the risk of cyber threats to your business’s and the government’s sensitive data.
Need Help Becoming CMMC Certified?
Blue Jean Networks has been studying closely the new standards which CMMC places on companies and we are ready to help our clients get certified. Our expert team will sit down with you and go over your cybersecurity plan and provide suggestions and actions that can help improve your systems so you can get certified. Contact our team today for more information!
Still have questions about CMMC? Check out our CMMC FAQ page!