Tag: CMMC 2.0

CMMC Changes for 2024 Summarized
On December 26^th 2023 the DoD (Department of Defense) dropped a slightly belated Christmas gift on defense contractors and vendors in the form of big changes to the CMMC (Cybersecurity Maturity Model Certification) program.

Whether the timing of the info dump was intentional or not remains a matter of debate but what’s not up for debate is that these changes are now the law of the land when it comes to reaching your CMMC goals (at least until they’re possibly challenged in court but we wouldn’t hold our breath on that). If you have not started working on them yet this is your sign to get started ASAP.

The 234-page document covered a variety of updates to the program, including splitting up tier 2 into self-attestation OR requiring contractors and vendors to obtain a third-party audit, but for those actively working on it we’re happy to say the controls themselves remain unchanged.

The vast majority of contractors (63% as estimated by the DoD) will still fall under CMMC Level 1 but a new change will not allow these contractors to submit a POA&M (Plan of Action and Milestones) to comply with unmet milestones going forward.

For contractors falling under Level 2 and 3 they can still submit a POA&M but while it previously allowed contractors to set their own timing for completing the actions required the new rules state all POA&M must have a plan for completion within 180 days of the initial assessment.

This is a huge change and will make it very difficult for contractors who are trying to rush to get their accreditation to comply with existing contracts. There are also new limitations on POA&Ms and some controls don’t allow them to be completed under a POA&M at all.

DoD contractors and vendors will have to rethink their entire plan for coming into compliance with CMMC this year.

The good news is that if you do meet all of the new hurdles and pass your assessment you will be in the clear for 3 years.

For those in the CMMC level 2 category (an estimated 37% of those affected) whether or not you can still self-attest in SPURs (Supplier Performance Risk System) or will need a third-party assessment is dependent entirely on whether the CUI (Controlled Unclassified Information) found in your contract warrants one or the other as determined by the DoD.

As these rules are still rolling out Level 2 contracts will most likely be required to self-attest to start until the program gains its footing when we’ll start to see more required to take on a third-party assessment. Contractors should be prepared either way as they perform the actions needed to qualify for certification.

There’s good news for Level 3 contractors in that not much has changed for them, and the program overall is still based on guidance from NIST SP 800-172. New language was added that CMMC Level 3 contractors must maintain a perfect Level 2 score in addition to achieving 20 out of 24 points to meet the qualifications for Level 3. Only a small minority of contractors will need to worry about achieving Level 3 and we have no doubt those that qualify know who they are and were already well prepared for this news.

The proposed roll out of these changes and CMMC as a whole is under a phased implementation window that will expand across a three-year period. Beginning with the DoD looking at those soliciting new DoD contracts to have a Level 1 or Level 2 self-attested score all the way up to the inclusion of CMMC in all new and existing contracts by year three.

It should also be noted that those who misrepresent their level of readiness under the CMMC program can face some pretty sharp penalties for doing so.

To add salt to the wounds the DoD have given themselves a grace period up to 2027 to begin rolling out these changes within their own organization – rules for thee but not for me? Perhaps a little bit.

These weren’t the only changes to be announced in December, if you would like to see and read the full 234-page document yourself you can find it here.

Either way the time to get your ducks in a row was several years ago (CMMC 2.0 was released in 2021) but short of inventing a time machine to do so the second best time to start is now.

Valley Techlogic has worked with clients on readiness for a variety of cybersecurity compliance frameworks including but not limited to CMMC, HIPAA, NIST, CIS and more. If you would like to learn more about how we can help you meet your CMMC goals, reach out today.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley Techlogic, an IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
February 2, 2024
CMMC Series: The Consequences for CMMC Non-Compliance
You may have thought we finished our series on the Cybersecurity Maturity Model Certification (CMMC) program, but we would be remiss if we didn’t cover the consequences and penalties for not complying with the program if you’re a current Department of Defense (DoD) contractor.

You may be thinking there’s a window to wait and see while rulings proceed on version 2.0 or have seen dates such as 2025 thrown out as the goal post for when the program will be completely finalized. Or maybe you’re just hoping the whole thing goes away, we get it. Looking at all of the controls and tiers can be overwhelming if your business is new to implementing cybersecurity measures.

However, the program is here to stay, and your business will be much better equipped to meet the requirements if you begin working on them now. There is a waiting list already for those wishing to obtain their certification earlier, and we expect the wait times to only grow as nearly 40,000 businesses who must comply with this program rush to get their certification before losing eligibility for existing contracts.

Beyond existing contracts, having your CMMC certification will make your business more competitive when seeking new contracts with the DoD. Progress towards CMMC is an investment in your business’s future, and it also meet the goals of the program which is protecting businesses from cyber threats.

So, what are the consequences for not working on CMMC compliance now, or in the future?

The DoD has said that all Defense Industrial Base (DIB) contractors must be compliant by 2025. There are no direct monetary penalties or fines for not being compliant at this time, however your business will no longer be eligible for defense contracts if you have not successfully completed your accreditation by that date.

Three years may seem like a long time but when you look at the scope of what’s necessary to be compliant with CMMC, it’s really a short window to get your ducks in a row. Tier one could be accomplished relatively easily by most businesses, but if your business handles any Confidential Unclassified Information, you’re really looking at a goal of tier three moving forward (or tier two if/when version 2.0 is released).

That’s also not counting the time spent in a waiting list for a member of the CMMC Accreditation Body to actually complete your assessment, you will need to work on your self-assessment status and POAM (Plan of Action and Milestones) prior to getting on the waiting list for CMMC accreditation.

It’s also important to note that your self-assessment must be confirmed by company leadership, it’s not enough to simply have your IT person or team complete the self-assessment and submit it.

The DoD has said they will randomly test contractor compliance and see if it matches what the contractor has inputted into Supplier Performance Risk System (SPRS). SPRS is a necessary requirement for being compliant with Defense Federal Acquisition Regulation Supplement (DFARS) which many contractors may already be aware of. They will be looking to see if your disclosures for DFARS in regards to CMMC/NIST match.

Submitting false information could make your business at risk for running afoul of the False Claims Act (FCA), which could leave you liable for civil fines and penalties. There is even a program in place to reward whistleblowers who bring to light businesses who are falsifying information about their cybersecurity practices on these forms.

This is all so much to say as there are significant risks involved with ignoring CMMC and we suggest you begin working on it now or we’re afraid you’ll be paying for it later.

If you need assistance with working on your CMMC accreditation, cybersecurity practices and compliance, DFARS forms or more – Valley Techlogic can assist you. Schedule a consultation today to learn how we can help your business meet your CMMC compliance goals for 2022.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
February 18, 2022
CMMC Series: Preparing for your assessment
This is our fifth article on this topic and as we bring it to a close, I’d like to first look back at what we’ve covered so far.

We started the series looking at what’s ahead for the Cybersecurity Maturity Model Certification (CMMC) program in 2022. Then we covered tiers one, two and three as they exist in the current 1.0 model of the program. We’re anticipating that tiers two and three will be merged going forward as version 2.0 rolls out (placing a larger burden on defense contractors looking to scale past the beginner controls in tier one and become more competitive in the marketplace).

So, if you’re reading this you’ve hopefully begun the process of implementing the controls within your business and are thinking it’s time to begin the process of obtaining your certification. There are several steps that come before actually obtaining your certification (although it should be noted that the CMMC Accreditation Body is currently in the process of hiring and waiting lists for certification could be lengthy at this time). The sooner you begin implementing the CMMC controls within your business, the sooner you can attempt to get on the waiting list to receive your certification.

The assessment process will follow these steps:
1. You will need to begin implementing a plan for CMMC within your business, and conduct a self-assessment against the NIST 800-171 (or partner with a provider like Valley Techlogic to assist you with this).
2. As you improve your processes you can submit your score to the Department of Defenses’ (DoD) Supplier Performance Risk System (SPRS).
3. From there you will need to identify the scope you wish to obtain for your business (it’s our opinion maturity level 3 will be required for most defense contractors in the future).
4. Obtain a third-party gap assessment, this will show you where your business is and where it needs to be to achieve your goals.
5. After addressing the gaps found in the assessment, you can look to the CMMC Accreditation Marketplace and choose a CMMC Third-Party Assessment Organization (C3PAO) to conduct your CMMC assessment.
6. The CMMC Accreditation Body will review the assessment submitted by your C3PAO and award you your CMMC certification.
Of course, this is boiling down many months (or even years) of preparation into what looks like 6 easy steps. The process will be time consuming and potentially costly, but for those who wish to continue doing business with the DoD it’s a necessary investment in the future.

As we’ve mentioned in past articles on the topic, defense contractors who refuse to comply with the CMMC process will no longer be eligible for defense contracts in the future. Beyond that, if you reach a higher level of certification, you will be in a better position to receive more contracts as it will be used as a comparative tool going forward.

If you’re like assistance with the CMMC self-assessment process or preparing for your CMMC AB assessment, Valley Techlogic has experience in this area. We have helped businesses begin the process of becoming CMMC ready, if you’d like to learn more schedule a consultation with our experts today.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
February 4, 2022
CMMC Series: Tier Three Overview
We’ve covered tier one and tier two of the Cybersecurity Maturity Model Certification (CMMC) program, and this week we’ll be tackling tier three.

Before we dive in, we want to mention that we’re covering tier three as it exists currently (in 2022), version 1.0 has five tiers but once version 2.0 of the program releases it will be reduced to three tiers.

What is currently tiers two and three will just be tier two version 2.0 of CMMC in the future, so it’s still worthwhile to pursue up to tier three in the existing model.

Tiers four and five in the existing model (or tier three in the future in version 2.0 of CMMC) feature the highest level of protection and may not be necessary for most businesses pursuing Department of Defense (DoD) contracts. It’s estimated less than 1% of businesses will need to pursue beyond tier three.

If you were to give the first three tiers’ labels, tier one would be considered “basic hygiene”, tier two would be “progressive hygiene” and in tier three you reach “good cyber hygiene”. By tier three your business will be well protected from cyber-attacks.

Tier one had 17 controls, tier two added 55 more for 72 total, and tier three almost doubles the controls adding another 58 for 130 total.

Level three expands on Access Control, which adds 8 more controls that focus on encryption and preventing unauthorized access to sensitive systems.

Next, we see a new control in Asset Management that requests that you develop plans and procedures for handling CUI data.

Audit and Accountability has 7 new controls that ask you to expand on your logging efforts as well as restrict access to those logs to only authorized users.

Awareness and Training has one new control and it’s solely around providing and maintaining cyber training for your employees.

Configuration Management adds three new controls, the CMMC controls in this category are looking for you to tighten up the configurations on your business’s devices, such as preventing downloads of unauthorized software and disallowing users to make security changes on their own.

In Identification and Authentication we see four controls aimed at tightening up your user security, such as not allowing passwords to be reused and requiring MFA (multi-factor authentication).

The two controls found in Incident Response ask you to track any incidents that occur and regularly test your organization incident response capabilities.

Tier three Maintenance adds two new controls, one that asks you to sanitize any equipment of CUI data before it’s removed for maintenance and another that asks you monitor any media meant for testing or diagnostic purposes for malicious code before installing it on your devices.

Media Protection adds four new controls, they all involve properly marking and restricting access to CUI data.

Physical Protection in tier three of CMMC adds one control and it asks you to continue expanding on your efforts to prevent physical outside threats to the CUI data your business holds.

Recovery also adds just one control and it’s aimed at having a schedule for your businesses backups that is strictly maintained and that proper storage capacity for your backups is provided and prioritized.

Risk Management adds three controls, two are about maintaining risk assessments and developing plans to mitigate any identified risks. The third asks you to manage products not supported by vendors separately, including enforcing access and use restrictions on them. What they mean by this is if your business utilizes an older piece of software you’re not able to discontinue yet – you need to quarantine it to be in compliance with CMMC. Any piece of software not updated is a potential threat vector for your business.

Security Assessment adds two new controls, they want you to monitor your security controls for ongoing efficacy and also have an independent security assessment conducted to identify any areas of risk that may be missed in your internal efforts.

Not seen in tiers one or two, tier three introduces the first Situational Awareness control, and it asks that you begin to share cyberthreat intelligence found from reputable sources with your stakeholders. An example would be if there’s been an announcement of a breach occurring with a software your business uses, you would be obligated to share your knowledge of that breach as it becomes available to you.

System and Communications in tier three adds the most new controls of any category with 15 controls in total. Controls in this category cover items such as ensuring proper information security across your in-house efforts in software engineering and system development to maintaining cryptographic keys for all the cryptography used on your systems. All of the controls are aimed at completing finishing touches when it comes to tightening up the security on your systems.

Finally, System and Information Integrity adds three new controls. One asks that you beef up your efforts to block spam at all entry points, the second asks that you utilize all available efforts to prevent and detect document forgery and the third asks that you implement “sandboxing” to filter and block potentially malicious emails.

As you can see, tier three greatly expands on the active role your business will need to take when it comes to cybersecurity measures. Implementing tier three will be made easier though as your business conducts the cumulative process of preparing better cyber readiness.

For example, in tier two we saw monitoring efforts increase substantially, in tier three you can use the records that have been obtained to fill in the gaps that were uncovered in that process.

Because such a small portion of businesses will need to obtain tiers four and five, we are not planning to have an in-depth article on those tiers. If you would like to have a consultation with Valley Techlogic on the CMMC process and the maturity level you will need to obtain for your business, you can schedule one here. In next weeks article we’ll talk about the CMMC auditing process and what you’ll need to do to prepare as your audit approaches.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
January 28, 2022