Confusion exists about which CMMC compliance levels DoD contractors must meet. It’s in every company’s best interest to promptly assess its cybersecurity now.
Contractors in the Department of Defense (DoD) supply chain could be negatively impacted by the imminent Cybersecurity Maturity Model Certification (CMMC) rollout if they are not prepared to meet the standards by the deadline.
The DoD announced it plans to take the protection of controlled unclassified information (CUI) more seriously than ever before. Its mandate is more far-reaching than in previous updates, and those operations that do not successfully pass a third-party audit will be on the outside of this profit-driving industry.
“This is a change of culture,” DoD acquisitions official Katie Arrington reportedly said of the enhanced cybersecurity rollout. “If the industry doesn’t think that they’re not going to start getting slapped on this, there’s another thing coming.”
“As a small business, when an adversary gets into your network, they’re not just going to take your (controlled unclassified information), they’re going to take your IP, they’re going to take your (personally identifiable information), they’re going to take your payroll information,” Arrington reportedly said. “They’re going to take it all.”
The DoD has made it abundantly clear that top defense contractors and supply chain outfits alike who don’t meet the standards will be left behind. But many businesses are uncertain about whether the NIST SP 800-171 controls they already implemented adhere to the latest CMMC standards or which of the five levels — if any — they have satisfied. Although the DoD’s increased cybersecurity measures are well-founded, industry leaders have good reason to seek clarity.
Why CMMC & NIST SP 800-171 Bear Striking Resemblances
It’s important for DoD supply chain outfits to take a step back and understand the intention of the CMMC mandate. In essence, CMMC seeks to merge the cybersecurity standards outlined under the NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, and AIA NAS9933, among others, into a single code that brings together the best of the best. Additionally, CMMC measures a company’s cybersecurity protocols, practices, and maturity, as well.
What distinguishes the NIST SP 800-171 from CMMC are those five levels of cybersecurity that must be certified by a third-party audit to remain in the DoD supply chain loop. Some peripheral organizations may be pleasantly surprised to discover they meet many of the controls set forward. The more closely your work is linked to critical information, the higher the level of compliance you can anticipate. Levels four and five, for example, are quite stringent. That being said, decision-makers are tasked with knowing their compliance level and meeting or exceeding it in the coming months.
How To Solve the CMMC Compliance Confusion
Regardless of whether your outfit has in-house IT or not, it’s crucial to have an outside cybersecurity expert review your network, policies, best practices, and overall cybersecurity defenses. People who work closely with anything have specific items they take for granted. A third-party auditor will not, and the outcome could prove costly. These are three ways to determine whether you are ready for CMMC.
- Staff Augmentation: Bring in cybersecurity experts to work in conjunction with in-house team members to review, assess, and take proactive measures to achieve CMMC compliance before the audit.
- Complete Outsourcing: Consider contracting with a company with CMMC expertise to handle that part of your cybersecurity health or the entire package.
- Network Oversight: Have a third-party managed IT cybersecurity specialist provide 24-7 oversight that would be required by Level 5 of the CMMC.
In previous years, the federal government was satisfied simply fining companies that failed to comply, after the fact. This time around, businesses must pass muster to apply for lucrative government work. Arrington was candid about the strict position the government has taken with regard to upwards of 80 percent of sensitive data being housed on private-sector networks.
“Here’s my thing: I love ya, but good riddance,” she reportedly said.
Contact A CMMC Compliance Specialist
Hampton Roads Communication Technologies has earned a top-tier reputation as a trusted cybersecurity organization. We work with DoD contractors throughout the United States, Mid-Atlantic Region, Hampton Roads Virginia, north into Williamsburg and south into the Outer Banks of North Carolina.
Need to prepare for a CMMC Audit? CLICK HERE