DEFENSE CYBERSECURITY GROUP, Inc.
Integrity, Operational Excellence, Expertise
Bringing world-class operational cyber expertise together with a deep understanding of compliance requirements to help Defense Industrial Base (DIB), contractors. DCG helps organizations prepare for all aspects of Cybersecurity Maturity Model Certification (CMMC) compliance audits and provides external audit services.
CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC)
CMMC is the new DoD framework for cyber defense and it will shortly be mandated across the DoD supply chain. Not only mandated but it will require an independent third-party audit to confirm that compliance, a massive change from the current world of self-attestation, and corrective plans. By design, this is going to drive a much higher level of cyber compliance across the DIB, and that means not just some, but a vast majority of companies will have to make significant changes and investments to meet these requirements. We understand how challenging these requirements are and are prepared to help small and medium sized business determine what needs to be done and to chart a course to get there. We can also help along the way!
CMMC enforcement timelines
The current timelines (as of May 2020) are:
Throughout 2020: The CMMC Accrediting Body (CMMC-AB) works to develop the standards and instructions for training and auditing against CMMC.
Sept 2020: 3rd party auditors complete initial training
Late 2020: Several (less than 20) DoD contracts are chosen as the first to require CMMC certification
Late 2020: Pilot audits begin for contractors on selected contracts
Late 2020: DFARS 7012 rule is modified to replace NIST 800-171 with CMMC requirement
Between 2021 and 2024: New Requests for Proposals (RFPs) gradually begin requiring CMMC certification. This means that most DoD contractors won’t be directly affected by CMMC for several years.
The inclusions of CMMC in RFP's has already begun as of August however and GSA has also included a CMMC in its latest major solicitation; STARS III. Every government prime and subcontractor should be preparing now for CMMC in anticipation of receiving an audit so that they can bid on future contracts.
LEVELS & REQUIREMENTS
The DoD recognizes that their contracts have different risk profiles, so each RFP will list a CMMC level requirement from 1-5. Having proof of certification at that level will be a requirement for bid submission.
The lower levels (1-2) apply to DoD contractors who don’t deal with Controlled Unclassified Information (CUI). Other than purchase orders and possibly human resources information, they don’t hold government information on their corporate networks. The security requirements for these levels are much less stringent.
In middle levels (3-4), DoD contractors handle CUI. This is information like schematics for DoD equipment. Data which lets adversaries reverse-engineer or learn about military capabilities. For example, a fabricator might have maintenance plans for shipboard equipment that is CUI and will require at least a level 3 certification to hold that information on their network.
At the highest levels, (4-5), the CUI being protected is high stakes. These networks will be targeted by cyber adversaries. Examples of this information would be weapon test results or detailed manufacturing schematics. Securing your network up to level 4 or 5 is likely to be very expensive.