Feb 06, 2020 (Investing Alerts) — If your business holds contracts with the U.S. Department of Defense (DoD), you’re probably aware of the new cybersecurity certification program that the DoD just released late last month.
If you’re not aware, we’ll quickly fill you in:
The new certification program, known as Cybersecurity Maturity Model Certification (CMMC), is the DoD’s initiative to verify that private defense contractors have implemented the cybersecurity measures that were mandated by the passing of DFARS, or the Defense Acquisition Federal Regulation Supplement, back in 2016. “Mandated” may seem too harsh a term, given the fact that contractors have in the past been trusted to implement security measures “in good faith.” However, with continued pressure to secure the defense supply chain, the DoD has now added CMMC as what they call a “verification component” of DFARS.
Basically, this means that defense contractors will only be awarded contracts with the Department of Defense if they are certified by an approved CMMC auditor. Official audits have not yet begun, but according to our research, auditors are currently being trained on CMMC now, and audits are estimated to begin later this year.
That means that defense contractors have little time to implement the cybersecurity controls necessary–namely NIST SP 800-171–to pass a CMMC audit, especially if they haven’t taken any action since the passing of DFARS. Many contractors may have the resources to implement a self-assessment and implement the controls themselves. However, many will opt to outsource the task to a Managed Service Provider (MSP) that helps contractors prepare for upcoming audits by providing CMMC Assessment Services.
A CMMC Assessment is essentially a Gap Analysis that assesses a defense contractor’s information systems and identifies what cybersecurity controls are missing from their current systems. This assessment provides the basis for the remediation process, which a contractor can implement themselves or have a third-party provider, like an MSP, do the work for them.
Two documents that the DoD has been looking for in contracts will also likely come out of the assessment process. These documents are the System Security Plan (SSP) and a Plan-of-Action and Milestones (POA&M), and auditors will likely ask to review these documents when they conduct their audit.
Additional on-going requirements of NIST 800-171 will include a Security Information Management (SIM) tool and a dedicated Security Operations Center (SOC) to monitor any real-time threats to a contractor’s information systems.
Getting a CMMC Assessment done, either internally or by a third-party provider, is the best way for defense contractors to prepare for the upcoming audits. Though it may be difficult to navigate the complexities of NIST 800-171, contractors should find the resources linked in this article helpful.