The Department of Defense (DoD) understands the value of strong cyber hygiene being critical to preventing security incidents. A recent data breach report from Verizon reflects that about 90% of security breaches are caused by poor cyber hygiene. To ensure the NIST SP 800-171 requirements and industry best practices for implementing strong cyber hygiene are in place for all of their service providers, including non-IT and professional services providers, they are moving from a self-assessed framework to a third-party assessed framework called the Cybersecurity Maturity Model Certification (CMMC) to help protect the Defense Industrial Base (DIB) supply chain.
With the implementation of the new CMMC quickly approaching, here are three best practices to help you prepare. By the way, these tips will help with security compliance and improve the security posture for any federal service provider, so consider implementing them even if your business customer focus is not with the DoD. Also note that the 8(a) STARS III contract vehicle included CMMC planning as a criteria for award, which may very well be a trend for many strategic contract vehicles.
Here are three best practices to help you prepare for CMMC certification.
1. Familiarize yourself with the details of the CMMC model
The first thing you need to do is read through the requirements that the Office of the Under Secretary of Defense for Acquisition & Sustainment has issued. At their website, you will find a briefing along with appendices that explain the various levels, processes, and practices of CMMC.
You should also visit the CMMC Accrediting Body’s website, where you will find additional resources and training.
As you navigate these documents, you might find yourself overwhelmed and confused. We understand that CMMC compliance can be complicated, so if you need help understanding it and how it applies to your business, check out our CMMC white paper, which is written in layman’s terms. Also, consider reaching out to a consulting company, like IBSS, who can help you with an initial analysis of your organization’s current cybersecurity practices and processes.
2. Identify the certification level appropriate for your company
Once you have a grasp on the CMMC compliance requirements, you are ready to look at your acquisition pipeline to determine what types of DoD contracts and opportunities you are pursuing. Your pipeline will help you determine your current and planned access to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The type of FCI and CUI you will access determines the level of CMMC compliance your company will need.
FCI is sensitive information provided by or generated for the government as part of the acquisition process that is not intended for public release.
CUI is a category of unclassified information sensitive enough that the government has determined to require protection from public disclosure. Examples of possible CUI include proprietary technical information about tools or engineering solutions, cutting edge technologies, critical infrastructure, data, and privacy data.
Consultants, like IBSS, can assist in determining what level of FCI and CUI you will access.
When identifying the certification level that your company needs, consider the following.
CMMC Maturity Level 1
Level 1 is the minimum level for all DoD acquisitions and is for companies that handle FCI but do not handle CUI.
CMMC Maturity Level 3
Level 3 is the minimum level for DoD acquisitions that handle CUI.
We expect the bulk of opportunities to require Level 3, thus it will be the appropriate level for most service providers.
CMMC Maturity Levels 4 and 5
Levels 4 and 5 will be required for opportunities with access to highly sensitive CUI and large volumes of CUI.
These levels are a good option for companies already meeting all of the National Institute of Standards and Technology Special Publication (NIST SP) 800-171 requirements and who are looking to implement highly resilient and adaptive cybersecurity capabilities.
3. Evaluate your current cybersecurity program and capabilities
With an understanding of the requirements and certification level needed, your next step is to evaluate your current cybersecurity program and capabilities and align with the intentions of the CMMC model so that you not only meet the requirements for certification but that your company derives value in the process.
Your goal is to establish strong cyber hygiene, not just meet requirements. Strong cyber hygiene prevents the bulk of cybersecurity incidents and breaches. In this area, you should evaluate logical and physical access controls, implement vulnerability scanning and flaw remediation programs into your operating system and application patching process, and establish and monitor secure configurations based on Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIGs) and Center for Internet Security (CIS) Benchmarks.
Remember to document and utilize your policies and procedures. As consultants, we often see organizations lacking in this area even though they have put in place technical cyber technologies and capabilities. Poor governance can lead to redundancies and inefficiencies in deployed technological solutions and information technology (IT) investments, human error, and loss of corporate knowledge with employee turnover. Strong governance and quality documented policies and procedures allow an organization to efficiently adapt to the company’s needs and reinforce the relationship between your cybersecurity program and your organizational and business units.
Here again, consultants can assist, but you want to align with consultants, like IBSS, who will also provide recommendations on how to improve your cyber hygiene, not just provide an evaluation of where you can improve. Oftentimes, the recommendations are more valuable than the evaluation itself, so choose your consultant carefully.
Now it’s time to take action and schedule time in your calendar to review each of these areas so that you are CMMC prepared.
If you are interested in learning more about CMMC and the foundations upon which it is built, get a copy of our free white paper report that goes in-depth about all things CMMC.
