What Is CMMC and How Can You Rapidly Position to Comply?
As organizations start to think about what their organizations will look like post-COVID, including potential permanent work-from-home situations to support the radical shifts in remote work technology adoption, there is yet another question looming: Are you getting ready for CMMC? Will you be ready?
CMMC, or Cyber Maturity Model Certification, is a U.S. Dept of Defense initiative to ensure that companies that support DoD contracts (the Defense Information Base, or DIB) are appropriately securing Federal contract information (FCI) DoD unclassified information (Controlled Unclassified Information, or CUI).
CMMC consists of five maturity levels, ranging from Level 1 – Basic Cyber Hygiene to Level 5 – Advanced / Progressive. Each level has an increasing number of requirements to meet as well as an increasing threshold of compliance with practices, from “Performed” to “Optimizing.”
CMMC is not like FISMA. FISMA allows organizations to accept risk; CMMC requires the organization to fully meet all requirements. FISMA also allows self-certification; CMMS does not. Instead, with CMMC, a certified third-party assessor organization (C3PAO) is contracted by the organization seeking certification. The C3PAO comes in and performs an independent assessment based on established standards for protection of FCI and CUI, and determines if the organization meets or does not meet acceptance criteria.
CMMC is strictly a DoD program, but is being piloted by several non-DoD agencies like GSA and State, so it could eventually become the Federal standard.
Q: Who can expect to be regulated by CMMC in future, and by when?
CMMC is currently an interim rule, released November 30, 2020. This interim rule provides for a phased rollout over five years for all contractors to be assessed by a third party to receive CMMC Certification. Therefore, all DIB members should expect to be fully compliant with CMMC by Dec 2025.
Q: I’m just a subcontractor, should I be worried about CMMC as a member of the supply chain?
Yes. CMMC applies not only to prime contractors, but also subcontractors that handle FCI / CUI. Those who don’t have the CMMC certification won’t be able to engage in Department of Defense (DoD) contracts, so the pressure is on for ‘Primes’ and their suppliers.
At the end of last year, the Department of Defense (DoD) Under Secretary for Defense Acquisition and Sustainment Ellen Lord stated that cybersecurity vulnerabilities in the defense industrial base are most common six to seven levels down from prime defense contractors, hiding in their extensive supply chains.
She went on to state: “This is a U.S. economic security issue as well as a U.S. security issue. When we look at cybersecurity standards, I believe it is absolutely critical to be crystal clear as to what expectations, measurements are, what the metrics are, and how we will basically audit against those.”
Q: What CMMC level should I be certified to?
The five levels of CMMC are commensurate with the sensitivity of the information being protected. A particular contract or vehicle may specify the minimum CMMC level for participation. Each level involves more controls. Level 3 is the highest level that has been significantly defined to date, but more Assessment Criteria are being released in the near future.
Q: How can Atomicorp help with CMMC compliance for organizations and their supply chains?
While there are 130 practices and 51 processes required for CMMC Level 3, two of the most significant areas to consider are Incident Response (IR) and Audit and Accountability (AU). In these areas there is a strong focus on logging, monitoring, incident response, and reporting capabilities with a SIEM or similar technical solution.
Are you prepared for CMMC, as DoD security requirements seem certain to seep into a supply chain near you. Let Atomicorp intrusion detection and cloud workload protection help you to protect complicated secure connectivity across private and public network endpoints. Take advantage of Atomicorp logging, monitoring, incident response, and reporting capabilities.
- Logging. There’s no shortage of log files for the security operations center (SOC) to inspect, either manually or automatically. You want technology to do intelligent filtering out in front, integrating deep detection that’s built in by developers (DevSecOps) before the malware or malice reaches the main office. This will not only result in lower SIEM costs, but also decrease response time, and put less strain on the network and firewall.
- Monitoring. Inspect more than just files. A good file integrity monitoring (FIM) tool should monitor more than just the files and data stores containing sensitive data. It should also monitor configuration information and software native to the operating system, like registries, binary files, and libraries, as well as infrastructure components like the configuration of network and cloud devices, web servers, and firewalls. All this should be monitored in real- time.
- Incident Response. Incident response demands sensitivity in detection and response at the endpoint. Endpoints when left under-defended can be subject to not only breach but lateral movement that can spread across your computing environment like wildfire. Security systems must move beyond detection into endpoint and cloud workload protection. Atomicorp provides security at the kernel level all the way out to your endpoints dipping into the cloud and back.
- Reporting. Get snapshots and bigger reports for compliance audit agility. Record-keeping is a pain, and you’ll require help when it’s time for an audit, reporting, or security assessment. Intrusion detection systems and cloud workload protection platforms need to provide the ability to pull back from an incident or event or drill in to visualize how the incident or breach fits or doesn’t fit into a bigger picture. Comply with standards and regulations such as PCI-DSS, HIPAA, Hitrust, NIST 800-53, NIST 800-171, NERC CIP, CIS, and GDPR. Make sure breaches and unauthorized changes are detected in your environment and toward generating artifacts to respond to regulatory requirements.
Evaluate Atomicorp for CMMC and other compliance drivers today.
Get a demo.