Call (716) 373-4467
04Jun

Why and How the DoD is Implementing the CMMC

 

The Department of Defense has been working to improve cybersecurity over the last several years. 

News of nation-state sponsored theft of defense secrets makes the news on a regular basis.

The biggest source of leaks of leaks of sensitive intellectual property: the hundreds of thousands of contractors that have access to sensitive but unclassified information called Controlled Unclassified Information or CUI.

In 2013, the DoD created a security requirement in the Federal Acquisition Regulations called DFARS 252.204-7012. A few years later, NIST released a security requirement named SP 800-171.

While both of these began to improve security for the defense industrial base, they did not solve the problem. Compliance with the DFARS is mandatory, as is compliance with NIST, but in most cases compliance with these regulations is based on the honor system – this has not worked.

The solution: Cybersecurity Maturity Model Certification (CMMC).

The release of the CMMC in 2019 is the first time the DoD has required contractors, sub contractors, and suppliers to be certified to participate in the DoD supply chain.

So what do you need to know?

  • The DoD is now requiring that all contractors and subcontractors “self-certify” they are compliant with NIST SP 800-171 by November 30, 2020. This self-certification will include posting audit scores and expected date of compliance to the SPRS portal.
  • The government is now requesting that all DoD contractors and sub-contractors be in compliance with CMMC by 2025.
  • Companies need to look at their existing maturity with DFARS 800-171 and understand what CMMC Level (1, 2, 3, 4, or 5) they need to be in compliance with moving forward.
    • The DoD entity will dictate what Level of Compliance the contractor or sub-contractor must be at.

Databranch and Cyberstone are here to help! Cyberstone received Registered Provider Organization status from the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) and are well positioned to provide advice and consulting services to organizations seeking CMMC certification.

The steps are easy: Contract with Databranch and Cyberstone Security and complete a maturity assessment engagement.

Understand the gaps in your maturity level and develop a roadmap for compliance: technology changes may require budget cycles to resolve.

Don’t wait! The DoD wants to see policy and practice within your organization for an 8-12 month period BEFORE they audit and issue a certificate of compliance.

Once deemed compliant, the compliancy level is good for a 3-year period.

To learn more about how Databranch and Cyberstone can help your organization prepare for the CMMC, give us a call at 716-373-4467 x 15!

 

*Courtesy of Cyberstone*

Back to view all blog posts

Comments
comments powered by Disqus
Administrative Privileges AI algorithms Annual Security Training Anti-Virus Artificial Intelligence Authenticator App Backup and Recovery Backup Redundancy BCDR breach prevention Breach Prevention Platform Breaches business continuity Business Email Compromise Business Email Compromises Business Phone System Business Software BYOD Call Directory Cisco Cloud Accounts Cloud Infrastructure Cloud Security Cloud Solutions Comprehensive Cybersecurity Compromised Credentials computer support Computer Upgrades Conditional Access Credential Theft Cyber Attacks Cyber Criminals Cyber Defenses Cyber Insurance cyber liability insurance Cyber Risk Management Cyberattacks Cyberinsurance cybersecurity Cybersecurity Awareness month Cybersecurity Breach Cybersecurity Culture Cybersecurity Training Cybersecurity Webinar Dark Web Dark Web Monitoring Data Backup Data Backup and Recovery Data Backup Solution Data Breach Data Breaches Data Governance Data Management Data Privacy Compliance Data Privacy Regulation data protection Data Recovery Data Restoration deepfake Deepfakes Defense in Depth Denial of Service Device Security Disaster Recover Disaster Recovery DNS Filtering doug wilson employee cybersecurity training Endpoint Detection and Response field technician Foundation Security Gift Card Scams Hackers Hosted VoIP i.t. service provider Identity Theft incident response plan Incident Response Planning Insider Threats Internet Explorer Internet of Things Intrusion Detection Intrusion Prevention IoT Devices IT Compliance IT Infrastructure IT Myths IT Partner IT Policies IT Resource IT Security IT Service Provider IT Services Juice Jacking Local Admin local admin privileges Lost Devices M365 malware Managed Clients Managed IT managed service provider managed services Manages Services MFA Microsoft Microsoft 356 Microsoft 365 Copilot Microsoft Office Mobile Devices MSP MSP501 Multi-Factor Authentication Network Monitoring Network Security Network Testing New Computer NIST Framework Offboarding Office 365 Outlook Outsourced IT Password Manager Password Managers Password Protection password security Passwords Patch Management Patches Patching PC Performance Penetration Testing Personal Data phishing Phishing Attacks PII Proactive Monitoring Processor productivity Professional Tune-Up Public WiFi Push-Bombing RAM Ransomware Ransomware Prevention Recovery Time Calculator Remote Monitoring Remote Working repeatbusinesssystems Ring Groups risk assessment Risk Management Risk Tolerance Rock-It VoIP RTO Costs Scammers Scams security Security Assessment Security Awareness Training Security Defaults Security Key Security Scans SLAM Method Smishing SMS Social Engineering Social Media Security Solid-State Drive Sponsored Google Ads SSD stolen credentials Storage Teams technical support scam technology best practices Technology Management Technology Policies Technology Review Threat Detection Threat Identification Threat Modeling Updates virus VoIP Systems VPN Vulnerabilities Vulnerability Assessment Warning Signs Webinar Windows 8.1 Work Computers World Backup Day