We provide Consulting Services, MSA and Help Desk Support to reach your CMMC goals
ASON specializes in providing DoD manufactures with cybersecurity expertise in Governance, Risk, Compliance and Privacy. As a support resource, we save our clients considerable time and money that can quickly provide actionable guidance. You also receive the peace of mind with a dedicated expert assigned to your company. Through our MSA we support your Cybersecurity Maturity Model Certification (CMMC) Level of compliance. We will proactively perform, support and maintain associated Domain’s, Capabilities, Practices and Controls based on your level of required complacency.
- Identify security gaps based on best practices
- Alert ready vs alert fatigued
- Security and compliance as a growth driver
- Monitoring and analysis
- Customized security profiles
- Risk scoring and alert thresholds
- Advanced Reporting for Compliance
- Webroot Secure Anywhere® DNS Protection
If you are a Department of Defense (DoD) contractor your likely already aware of the Cybersecurity Maturity Model Certification (CMMC), an initiative lead by the Office of the Assistant Secretary of Defense for Acquisition. This is an office in the Department of Defense (DoD) which helps set policy for DoD contract requirements.
DoD contractors who handle Controlled Unclassified Information (CUI) are already required to self-certify compliance with the NIST SP 800-171 set of cybersecurity best practices, but as has been determined, self-certification is not working well. DoD contractors have been successfully targeted by cyber adversaries because they haven’t fully secured their networks.
To force DoD contractors to implement cybersecurity, the CMMC will require every DoD contractor to get an audit and certification from a third party auditor. It doesn’t matter whether the contractor manages CUI or not. They still need to get audited.
CMMC enforcement timelines as of May 2020:
- Mid 2020: 3rd party auditors begin applying for accreditation
- Late 2020: DoD contractors start getting audited
- Early 2021: New Requests for Proposals (RFPs) begin requiring CMMC certification
CMMC levels and requirements
The DoD recognizes that their contracts have different risk profiles, so each RFP will list a CMMC level requirement from 1-5. Having proof of certification at that level would be a requirement to even submit a bid.
The lower levels (1-2) apply to DoD contractors who don’t deal with Controlled Unclassified Information (CUI). I expect most resellers will fit into this category. Other than purchase orders and possibly human resources information, they don’t hold government information on their corporate networks. The security requirements for these levels are much less stringent.
In middle levels (3-4), DoD contractors handle CUI. This is information like schematics for DoD equipment. Data which lets adversaries reverse-engineer or learn about military capabilities. For example, a shipyard might have maintenance plans for submarine equipment on a CUI network. This requires a level of protection very similar to the current NIST SP 800-171 recommendations.
At the highest levels, (4-5), the CUI being protected is high stakes. These networks will be targeted by cyber adversaries. Examples of this information would be weapon test results or detailed manufacturing schematics. Securing your network up to level 4 or 5 will be an expensive proposition.
Resources to get started with CMMC
CMMC Model overview: https://www.acq.osd.mil/cmmc/draft.html
Official homepage for CMMC: https://www.acq.osd.mil/cmmc/index.html
Official homepage of the CMMC Accreditation Body: https://www.cmmcab.org/
Official FAQ about CMMC: https://www.acq.osd.mil/cmmc/faq.html
Public discussion about individual CMMC requirements: https://www.cmmcaudit.org/cmmc-capabilities-controls-discussion-home/