Tag: CMMC Accreditation

  • CMMC Changes for 2024 Summarized

    CMMC Changes for 2024 Summarized

    On December 26th 2023 the DoD (Department of Defense) dropped a slightly belated Christmas gift on defense contractors and vendors in the form of big changes to the CMMC (Cybersecurity Maturity Model Certification) program.

    Whether the timing of the info dump was intentional or not remains a matter of debate but what’s not up for debate is that these changes are now the law of the land when it comes to reaching your CMMC goals (at least until they’re possibly challenged in court but we wouldn’t hold our breath on that). If you have not started working on them yet this is your sign to get started ASAP.

    The 234-page document covered a variety of updates to the program, including splitting up tier 2 into self-attestation OR requiring contractors and vendors to obtain a third-party audit, but for those actively working on it we’re happy to say the controls themselves remain unchanged.

    The vast majority of contractors (63% as estimated by the DoD) will still fall under CMMC Level 1 but a new change will not allow these contractors to submit a POA&M (Plan of Action and Milestones) to comply with unmet milestones going forward.

    For contractors falling under Level 2 and 3 they can still submit a POA&M but while it previously allowed contractors to set their own timing for completing the actions required the new rules state all POA&M must have a plan for completion within 180 days of the initial assessment.

    This is a huge change and will make it very difficult for contractors who are trying to rush to get their accreditation to comply with existing contracts. There are also new limitations on POA&Ms and some controls don’t allow them to be completed under a POA&M at all.

    DoD contractors and vendors will have to rethink their entire plan for coming into compliance with CMMC this year.

    The good news is that if you do meet all of the new hurdles and pass your assessment you will be in the clear for 3 years.

    For those in the CMMC level 2 category (an estimated 37% of those affected) whether or not you can still self-attest in SPURs (Supplier Performance Risk System) or will need a third-party assessment is dependent entirely on whether the CUI (Controlled Unclassified Information) found in your contract warrants one or the other as determined by the DoD.

    As these rules are still rolling out Level 2 contracts will most likely be required to self-attest to start until the program gains its footing when we’ll start to see more required to take on a third-party assessment. Contractors should be prepared either way as they perform the actions needed to qualify for certification.

    There’s good news for Level 3 contractors in that not much has changed for them, and the program overall is still based on guidance from NIST SP 800-172. New language was added that CMMC Level 3 contractors must maintain a perfect Level 2 score in addition to achieving 20 out of 24 points to meet the qualifications for Level 3. Only a small minority of contractors will need to worry about achieving Level 3 and we have no doubt those that qualify know who they are and were already well prepared for this news.

    The proposed roll out of these changes and CMMC as a whole is under a phased implementation window that will expand across a three-year period. Beginning with the DoD looking at those soliciting new DoD contracts to have a Level 1 or Level 2 self-attested score all the way up to the inclusion of CMMC in all new and existing contracts by year three.

    It should also be noted that those who misrepresent their level of readiness under the CMMC program can face some pretty sharp penalties for doing so.

    To add salt to the wounds the DoD have given themselves a grace period up to 2027 to begin rolling out these changes within their own organization – rules for thee but not for me? Perhaps a little bit.

    These weren’t the only changes to be announced in December, if you would like to see and read the full 234-page document yourself you can find it here.

    Either way the time to get your ducks in a row was several years ago (CMMC 2.0 was released in 2021) but short of inventing a time machine to do so the second best time to start is now.

    Valley Techlogic has worked with clients on readiness for a variety of cybersecurity compliance frameworks including but not limited to CMMC, HIPAA, NIST, CIS and more. If you would like to learn more about how we can help you meet your CMMC goals, reach out today.

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley Techlogic, an IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.

  • CMMC Series: The Consequences for CMMC Non-Compliance

    CMMC Series: The Consequences for CMMC Non-Compliance

    You may have thought we finished our series on the Cybersecurity Maturity Model Certification (CMMC) program, but we would be remiss if we didn’t cover the consequences and penalties for not complying with the program if you’re a current Department of Defense (DoD) contractor.

    You may be thinking there’s a window to wait and see while rulings proceed on version 2.0 or have seen dates such as 2025 thrown out as the goal post for when the program will be completely finalized. Or maybe you’re just hoping the whole thing goes away, we get it. Looking at all of the controls and tiers can be overwhelming if your business is new to implementing cybersecurity measures.

    However, the program is here to stay, and your business will be much better equipped to meet the requirements if you begin working on them now. There is a waiting list already for those wishing to obtain their certification earlier, and we expect the wait times to only grow as nearly 40,000 businesses who must comply with this program rush to get their certification before losing eligibility for existing contracts.

    Beyond existing contracts, having your CMMC certification will make your business more competitive when seeking new contracts with the DoD. Progress towards CMMC is an investment in your business’s future, and it also meet the goals of the program which is protecting businesses from cyber threats.

    So, what are the consequences for not working on CMMC compliance now, or in the future?

    The DoD has said that all Defense Industrial Base (DIB) contractors must be compliant by 2025. There are no direct monetary penalties or fines for not being compliant at this time, however your business will no longer be eligible for defense contracts if you have not successfully completed your accreditation by that date.

    Three years may seem like a long time but when you look at the scope of what’s necessary to be compliant with CMMC, it’s really a short window to get your ducks in a row. Tier one could be accomplished relatively easily by most businesses, but if your business handles any Confidential Unclassified Information, you’re really looking at a goal of tier three moving forward (or tier two if/when version 2.0 is released).

    That’s also not counting the time spent in a waiting list for a member of the CMMC Accreditation Body to actually complete your assessment, you will need to work on your self-assessment status and POAM (Plan of Action and Milestones) prior to getting on the waiting list for CMMC accreditation.

    It’s also important to note that your self-assessment must be confirmed by company leadership, it’s not enough to simply have your IT person or team complete the self-assessment and submit it.

    The DoD has said they will randomly test contractor compliance and see if it matches what the contractor has inputted into Supplier Performance Risk System (SPRS). SPRS is a necessary requirement for being compliant with Defense Federal Acquisition Regulation Supplement (DFARS) which many contractors may already be aware of. They will be looking to see if your disclosures for DFARS in regards to CMMC/NIST match.

    Submitting false information could make your business at risk for running afoul of the False Claims Act (FCA), which could leave you liable for civil fines and penalties. There is even a program in place to reward whistleblowers who bring to light businesses who are falsifying information about their cybersecurity practices on these forms.

    This is all so much to say as there are significant risks involved with ignoring CMMC and we suggest you begin working on it now or we’re afraid you’ll be paying for it later.

    If you need assistance with working on your CMMC accreditation, cybersecurity practices and compliance, DFARS forms or more – Valley Techlogic can assist you. Schedule a consultation today to learn how we can help your business meet your CMMC compliance goals for 2022.

    VTL Can Help With Your CMMC Progress!

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.

  • CMMC Series: Tier One Overview

    CMMC Series: Tier One Overview

    Last week we covered a general overview of what the Cybersecurity Maturity Model Certification (CMMC) program is and what’s been announced for 2022 so far. Presently, there are five maturity tiers found in program, although if (or when) version 2.0 is released it’s been announced that the program will be simplified down to just three tiers.

    The changes that will be happening with version 2.0 however don’t affect tier one very much. Tier one covers basic cybersecurity hygiene in both versions of the program. It sets the groundwork for the later tiers and while the topics covered are “basic”, the foundational coverage they provide is imperative for any business – not just those required to adhere to CMMC for contractual or compliance reasons.

    The Cybersecurity Maturity Model Certification (CMMC) program includes 17 controls at the moment with 171 practices. Thirty of those practices are only found within CMMC and not in the framework which formed the basis for it (NIST) and are anticipated to be removed in version 2.0. However, in both version 1.0 and 2.0 there are 17 practices that must be adhered to for tier one.

    It’s important to note as well this process is not one and done, you must actively maintain your cybersecurity compliance to continue being certified within CMMC. Failure to do so could result in losing your certification, losing contracts that require CMMC compliance, and or even being fined for violating the False Claims Act (FCA) which will talk about in more detail in a future article.

    It’s beneficial to maintain your compliance to both adhere to the program and protect your business from cyber threats.

    In tier one the program begins with “Access Control” and there are five components. These components cover topics such as user privileges and controlling remote access and access to internal systems.

    The next control is “Identification and Authentication” which aligns well with Access Control, the two practices found within that control involve documenting those that access your systems and maintaining reports for those logins.

    Then we have “Media Protection” which has just one practice and it’s aimed at maintaining sanitation of your devices (such as removing sensitive data from hard drives).

    Next, we have “Physical Protection” and in tier one of CMMC this topic covers improving the way you surprise visitors to your office location (a lot of cyber threats stem from an attack known as “spear phishing”). There are four practices found under “Physical Protection”.

    “System and Communication Protection” has two practices and they’re both aimed at securing the private communication you and your employees have (that may include CUI – Controlled Unclassified Information – data).

    Finally, we have “System and Information Integrity” which has five practices that cover better securing your businesses systems, including performing needed updates, and monitoring for malicious code.

    As you can see, these basic practices set a good baseline for activities found in higher maturity tiers. In tier one “System and Information Integrity” you’re monitoring for malicious code – in tier two and three there are practices that stipulate how to actually deal with it.

    We will be continuing to provide more information on CMMC in this series, next week we will take an in depth look at tier two. If your business needs to meet the requirements for being CMMC certified, Valley Techlogic can help. We have experiences helping businesses achieve greater cybersecurity compliance and assisting them with the certification process. Learn more today.

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.

  • CMMC Series: What’s Happening in 2022

    CMMC Series: What’s Happening in 2022

    We’ve touched on the Cybersecurity Maturity Model Certification (CMMC) before in this blog, but over the next five weeks we’ll be doing a deep dive into this particular cybersecurity framework in our new CMMC Series. Starting with today’s post on what’s happening currently and what we can expect in 2022.

    At Valley Techlogic, we believe a good cybersecurity framework can be the backbone for businesses looking to beef up their cybersecurity implementation. The roadmaps found within frameworks such as CMMC, HIPAA, CIS and NIST act as a perfect guide whether you’ve been implementing cybersecurity strategies for a while or are brand new to the process.

    Our focus on CMMC occurs as the program is set to go through changes. CMMC Version 1.0 was released January 31st, 2020, and while it borrowed most of its components from NIST, it did have 30 additional requirements that aren’t found in the National Institute of Standards and Technology (NIST) framework.

    Those additional standards will not exist in version 2.0 however, as the Department of Defense (DoD) moves to simplify the program and roll back any government oversight that may overreaching. Version 2.0 will allow more companies to self-certify as well.

    Rolling out a new version of anything in the government is a time intensive process, since the new changes were announced it’s anticipated it could take anywhere from 9 months to 24 months before a ruling is established. Also, some groups who are currently involved in implementing CMMC are protesting the changes.

    Regardless of what version exists, we’re past the point where businesses who hold contracts with the DoD can choose to ignore the writing on the wall. You will need to start implementing these security measures now if you haven’t already if you want to maintain your compliance with the DoD rules for their contractors. Whether 2.0 passes or not, CMMC is not going away.

    CMMC accreditation audits are expected to kick off soon, and there’s even some talks about incentivizing businesses who receive their CMMC certifications before it’s officially required. CMMC certification also lets your customers know you take securing their data seriously within your organization.

    Whether it’s 5 tiers found in the existing model or 3 tiers found in 2.0, the best place to start is in the first tier. These changes are easy to quickly implement and will lay the foundation for future cybersecurity improvements. At Valley Techlogic, we have experience helping businesses implement the requirements found within CMMC (as well as NIST, HIPAA, CIS and more).

    We can help your business self-certify and prepare for CMMC accreditation. We can quickly bring you to compliance with tier one and set goals for the more advanced levels.

    Over the next weeks we will talk about the goals found within tier one and beyond in this ongoing CMMC series. If you’re hoping to meet the qualifications for CMMC accreditation in 2022, schedule a meeting with us today to learn how we can help with the process.

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.