Call (716) 373-4467
04Jun

Why and How the DoD is Implementing the CMMC

 

The Department of Defense has been working to improve cybersecurity over the last several years. 

News of nation-state sponsored theft of defense secrets makes the news on a regular basis.

The biggest source of leaks of leaks of sensitive intellectual property: the hundreds of thousands of contractors that have access to sensitive but unclassified information called Controlled Unclassified Information or CUI.

In 2013, the DoD created a security requirement in the Federal Acquisition Regulations called DFARS 252.204-7012. A few years later, NIST released a security requirement named SP 800-171.

While both of these began to improve security for the defense industrial base, they did not solve the problem. Compliance with the DFARS is mandatory, as is compliance with NIST, but in most cases compliance with these regulations is based on the honor system – this has not worked.

The solution: Cybersecurity Maturity Model Certification (CMMC).

The release of the CMMC in 2019 is the first time the DoD has required contractors, sub contractors, and suppliers to be certified to participate in the DoD supply chain.

So what do you need to know?

  • The DoD is now requiring that all contractors and subcontractors “self-certify” they are compliant with NIST SP 800-171 by November 30, 2020. This self-certification will include posting audit scores and expected date of compliance to the SPRS portal.
  • The government is now requesting that all DoD contractors and sub-contractors be in compliance with CMMC by 2025.
  • Companies need to look at their existing maturity with DFARS 800-171 and understand what CMMC Level (1, 2, 3, 4, or 5) they need to be in compliance with moving forward.
    • The DoD entity will dictate what Level of Compliance the contractor or sub-contractor must be at.

Databranch and Cyberstone are here to help! Cyberstone received Registered Provider Organization status from the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) and are well positioned to provide advice and consulting services to organizations seeking CMMC certification.

The steps are easy: Contract with Databranch and Cyberstone Security and complete a maturity assessment engagement.

Understand the gaps in your maturity level and develop a roadmap for compliance: technology changes may require budget cycles to resolve.

Don’t wait! The DoD wants to see policy and practice within your organization for an 8-12 month period BEFORE they audit and issue a certificate of compliance.

Once deemed compliant, the compliancy level is good for a 3-year period.

To learn more about how Databranch and Cyberstone can help your organization prepare for the CMMC, give us a call at 716-373-4467 x 15!

 

*Courtesy of Cyberstone*

comments powered by Disqus