Tag: cmmc certification

  • 2023 is coming, is your business CMMC ready?

    2023 is coming, is your business CMMC ready?

    For some Department of Defense (DoD) contractors, CMMC or Cybersecurity Maturity Model Certification compliance may be a looming figure that they’ve yet to address. If you’re one of the ones currently making headway on it, you may not be certain which level you need to reach for your business.

    CMMC version 2.0 was announced last November, and it seems as if that’s going to be the de facto model going forward. In version one there were 5 levels of CMMC compliance, which have now been reduced to 3. To put it simply, level 1 of the program remained the same, levels 2 and 3 were combined and levels 4 and 5 were also combined.

    This means if you were previously aiming for level 2 in the previous version of the program, you will now need to address topics in level 3 to be compliant.

    Level one or the Foundational Level is meant for who do not handle Federal Contract Information (FCI) data. The checklist features just 17 items, and your compliance is self-attested which means you do not need to have a formal CMMC testing done to be compliant with the program.

    Many DoD contractors though will fall into level 2 or the Advanced Level due to their handling of Controlled Unclassified Information (CUI), level 2 features 110 controls. All of CMMCs level 2 controls originate from NIST SP 800-171.

    With the announcement of version 2.0 it was also announced the additional CMMC specific controls would be removed. If your business has already been working towards compliance with NIST before CMMC was announced you’re in a perfect position to work towards your CMMC compliance goals.

    While 2.0 has not yet been signed into law, it was announced by the Pentagon last April that CMMC language would begin to start showing up in DoD contractors starting July 2023 – so the clock is definitely ticking if your business will be vying for those contracts.

    A small portion of businesses will be required to undertake the rigorous task of being compliant with level 3 of CMMC, or the Expert Level. It’s based on NIST-800-171 and 172 and has 134 requirements at the time of writing, many of which require specialized equipment and software.

    For both levels 2 and 3, audits will be required through the CMMC Accreditation Body (recently renamed Cyber-AB). Cyber-AB is an independent auditing body and we’ve been told the wait times to be audited are lengthy, though this will get a little better as the program gains more auditors. It’s still a good idea to make sure your business is ready and meets the compliance standards though especially as CMMC regulations continue to be rolled out ahead of the official release. You don’t want to be caught needing that proof of compliance to meet your contract requirements and not having it.

    The DoD has also indicated it would take a contractors level of CMMC compliance into consideration when choosing for their contracts – so not being compliant may not just put your existing contracts at risk it could cost you new ones as well.

    We have several articles explaining the levels and controls in more detail, here are our articles on levels one, two and three.

    If you’ve barely scratched the surface in your organization, you can still make changes that will put you in a better position when you begin to tackle it in earnest. Many of the requirements, especially those found in level one, is common sense advice for being safer online. You (and your employees) can work on these five items first:

    If after reviewing the information, you feel like you just need a hand to either cement cybersecurity processes you already have in place or have a partner in your CMMC goals, Valley Techlogic can help.

    We have firsthand knowledge of the CMMC program and helping clients become CMMC certified. Our tools will help you meet the requirements necessary and quickly get your business ready for the audit process.

    Make an appointment today for a free consultation to learn more.

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley Techlogic, an IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.

  • CMMC Series: The Consequences for CMMC Non-Compliance

    CMMC Series: The Consequences for CMMC Non-Compliance

    You may have thought we finished our series on the Cybersecurity Maturity Model Certification (CMMC) program, but we would be remiss if we didn’t cover the consequences and penalties for not complying with the program if you’re a current Department of Defense (DoD) contractor.

    You may be thinking there’s a window to wait and see while rulings proceed on version 2.0 or have seen dates such as 2025 thrown out as the goal post for when the program will be completely finalized. Or maybe you’re just hoping the whole thing goes away, we get it. Looking at all of the controls and tiers can be overwhelming if your business is new to implementing cybersecurity measures.

    However, the program is here to stay, and your business will be much better equipped to meet the requirements if you begin working on them now. There is a waiting list already for those wishing to obtain their certification earlier, and we expect the wait times to only grow as nearly 40,000 businesses who must comply with this program rush to get their certification before losing eligibility for existing contracts.

    Beyond existing contracts, having your CMMC certification will make your business more competitive when seeking new contracts with the DoD. Progress towards CMMC is an investment in your business’s future, and it also meet the goals of the program which is protecting businesses from cyber threats.

    So, what are the consequences for not working on CMMC compliance now, or in the future?

    The DoD has said that all Defense Industrial Base (DIB) contractors must be compliant by 2025. There are no direct monetary penalties or fines for not being compliant at this time, however your business will no longer be eligible for defense contracts if you have not successfully completed your accreditation by that date.

    Three years may seem like a long time but when you look at the scope of what’s necessary to be compliant with CMMC, it’s really a short window to get your ducks in a row. Tier one could be accomplished relatively easily by most businesses, but if your business handles any Confidential Unclassified Information, you’re really looking at a goal of tier three moving forward (or tier two if/when version 2.0 is released).

    That’s also not counting the time spent in a waiting list for a member of the CMMC Accreditation Body to actually complete your assessment, you will need to work on your self-assessment status and POAM (Plan of Action and Milestones) prior to getting on the waiting list for CMMC accreditation.

    It’s also important to note that your self-assessment must be confirmed by company leadership, it’s not enough to simply have your IT person or team complete the self-assessment and submit it.

    The DoD has said they will randomly test contractor compliance and see if it matches what the contractor has inputted into Supplier Performance Risk System (SPRS). SPRS is a necessary requirement for being compliant with Defense Federal Acquisition Regulation Supplement (DFARS) which many contractors may already be aware of. They will be looking to see if your disclosures for DFARS in regards to CMMC/NIST match.

    Submitting false information could make your business at risk for running afoul of the False Claims Act (FCA), which could leave you liable for civil fines and penalties. There is even a program in place to reward whistleblowers who bring to light businesses who are falsifying information about their cybersecurity practices on these forms.

    This is all so much to say as there are significant risks involved with ignoring CMMC and we suggest you begin working on it now or we’re afraid you’ll be paying for it later.

    If you need assistance with working on your CMMC accreditation, cybersecurity practices and compliance, DFARS forms or more – Valley Techlogic can assist you. Schedule a consultation today to learn how we can help your business meet your CMMC compliance goals for 2022.

    VTL Can Help With Your CMMC Progress!

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.

  • CMMC Series: Tier Two Overview

    CMMC Series: Tier Two Overview

    This is the third week of our Cybersecurity Maturity Model Certification (CMMC) Series. You can find week one, which was a look at what’s happening with CMMC in 2022 here. Last week, we gave you an overview of tier one which you can review here.

    Tier one in CMMC really covers the basic foundational steps you must take to move on to tier two and tier three. For some contractors, tier one will be enough to keep and maintain compliance with their Department of Defense (DoD) contracts. Every situation is unique, but broadly speaking if you don’t handle Controlled Unclassified Information (CUI) in your business – tier one will probably be the extent that you need to reach.

    If you do handle any CUI data, then we recommend you strive towards tier two or tier three. Many of the protections that come in the later tiers specifically cover how to safeguard this data and it’s in your businesses best interest to meet the requirements. While there are no direct financial penalties at the time of writing for not doing so, the DoD is considering a system of rewarding businesses who achieve greater CMMC maturity levels.

    If you and another business are exactly the same in what you do and, in your pricing, – or even if their pricing is a bit higher than yours – if they have achieved tier three cybersecurity maturity model certification and your business is tier one or not certified at all yet, it’s likely your competitor will win the bid.

    So, what goes into reaching tier two in CMMC?

    Tier two is the next milestone within CMMC, and the difficulty does scale considerably with each level. While tier one had 17 provisions, tier two introduces 55 more for a total of 72 practices you’ll need to cover to meet the requirements (the practices are cumulative).

    In addition to more practices tier two also introduces new domains.

    First there is Access Control, tier two access control looks to limit access to who can log into your organizations systems (and how much they can access when they do).

    Next is Awareness and Training, in tier two you will need to make sure your managers, administrators and anyone else you who would have access to sensitive systems is attending regular cybersecurity training.

    In Audit and Accountability, we look to maintain logs of user activity for review.

    Security Assessment is where we really begin to see accountability being held on organizations, you will need to conduct regular assessments as you work towards your cybersecurity goals and develop cybersecurity plans based on the assessment results.

    Configuration Management covers the need to manage the configurations of your office devices and equipment with cybersecurity best practices in mind.

    Identification and Authentication is similar to access control, but it specifically looks to limit sensitive systems to only those who should have authorization to access them.

    While tier one in CMMC only covered the basics and didn’t address what happens when you have a cyber incident, tier two starts to cover that with the Incident Response control.

    The Maintenance control in tier two actually refers to your devices and how you maintain them, and what you will need to do in case of their failure.

    Media Protection in tier two covers specific provisions around the handling and destruction of removable media, such as flash drives.

    We started looking at Physical Protection in tier one by keeping visitor logs, but tier two asks that you actually begin to escort guests through your facilities and screening personnel.

    Tier one surprisingly doesn’t ask that you backup your data (even though we would always recommend that) – in tier two Recovery you must have a plan for backing up your data.

    In tier two Risk Management, CMMC asks that you begin to conduct risk assessments and fix any vulnerabilities that are uncovered during the process.

    Systems and Communications Protection in tier two includes controlling communications within your organization, not just monitoring them.

    Finally, the System and Information Integrity domain covers actively monitoring your systems for breaches and quickly resolving any that come up.

    As you can see, CMMC maturity tier two dives into the deep end of cybersecurity, but the provisions it covers will make a discernible impact in your cyber readiness throughout your entire business.

    Does your business need to meet the requirements for being certified with CMMC? Valley Techlogic can help, we have experience helping DoD contracted businesses reach their cybersecurity and CMMC goals, as well as helping with the certification process itself. Learn more today in a free consultation.

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.

  • CMMC Series: Tier One Overview

    CMMC Series: Tier One Overview

    Last week we covered a general overview of what the Cybersecurity Maturity Model Certification (CMMC) program is and what’s been announced for 2022 so far. Presently, there are five maturity tiers found in program, although if (or when) version 2.0 is released it’s been announced that the program will be simplified down to just three tiers.

    The changes that will be happening with version 2.0 however don’t affect tier one very much. Tier one covers basic cybersecurity hygiene in both versions of the program. It sets the groundwork for the later tiers and while the topics covered are “basic”, the foundational coverage they provide is imperative for any business – not just those required to adhere to CMMC for contractual or compliance reasons.

    The Cybersecurity Maturity Model Certification (CMMC) program includes 17 controls at the moment with 171 practices. Thirty of those practices are only found within CMMC and not in the framework which formed the basis for it (NIST) and are anticipated to be removed in version 2.0. However, in both version 1.0 and 2.0 there are 17 practices that must be adhered to for tier one.

    It’s important to note as well this process is not one and done, you must actively maintain your cybersecurity compliance to continue being certified within CMMC. Failure to do so could result in losing your certification, losing contracts that require CMMC compliance, and or even being fined for violating the False Claims Act (FCA) which will talk about in more detail in a future article.

    It’s beneficial to maintain your compliance to both adhere to the program and protect your business from cyber threats.

    In tier one the program begins with “Access Control” and there are five components. These components cover topics such as user privileges and controlling remote access and access to internal systems.

    The next control is “Identification and Authentication” which aligns well with Access Control, the two practices found within that control involve documenting those that access your systems and maintaining reports for those logins.

    Then we have “Media Protection” which has just one practice and it’s aimed at maintaining sanitation of your devices (such as removing sensitive data from hard drives).

    Next, we have “Physical Protection” and in tier one of CMMC this topic covers improving the way you surprise visitors to your office location (a lot of cyber threats stem from an attack known as “spear phishing”). There are four practices found under “Physical Protection”.

    “System and Communication Protection” has two practices and they’re both aimed at securing the private communication you and your employees have (that may include CUI – Controlled Unclassified Information – data).

    Finally, we have “System and Information Integrity” which has five practices that cover better securing your businesses systems, including performing needed updates, and monitoring for malicious code.

    As you can see, these basic practices set a good baseline for activities found in higher maturity tiers. In tier one “System and Information Integrity” you’re monitoring for malicious code – in tier two and three there are practices that stipulate how to actually deal with it.

    We will be continuing to provide more information on CMMC in this series, next week we will take an in depth look at tier two. If your business needs to meet the requirements for being CMMC certified, Valley Techlogic can help. We have experiences helping businesses achieve greater cybersecurity compliance and assisting them with the certification process. Learn more today.

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.

  • CMMC Series: What’s Happening in 2022

    CMMC Series: What’s Happening in 2022

    We’ve touched on the Cybersecurity Maturity Model Certification (CMMC) before in this blog, but over the next five weeks we’ll be doing a deep dive into this particular cybersecurity framework in our new CMMC Series. Starting with today’s post on what’s happening currently and what we can expect in 2022.

    At Valley Techlogic, we believe a good cybersecurity framework can be the backbone for businesses looking to beef up their cybersecurity implementation. The roadmaps found within frameworks such as CMMC, HIPAA, CIS and NIST act as a perfect guide whether you’ve been implementing cybersecurity strategies for a while or are brand new to the process.

    Our focus on CMMC occurs as the program is set to go through changes. CMMC Version 1.0 was released January 31st, 2020, and while it borrowed most of its components from NIST, it did have 30 additional requirements that aren’t found in the National Institute of Standards and Technology (NIST) framework.

    Those additional standards will not exist in version 2.0 however, as the Department of Defense (DoD) moves to simplify the program and roll back any government oversight that may overreaching. Version 2.0 will allow more companies to self-certify as well.

    Rolling out a new version of anything in the government is a time intensive process, since the new changes were announced it’s anticipated it could take anywhere from 9 months to 24 months before a ruling is established. Also, some groups who are currently involved in implementing CMMC are protesting the changes.

    Regardless of what version exists, we’re past the point where businesses who hold contracts with the DoD can choose to ignore the writing on the wall. You will need to start implementing these security measures now if you haven’t already if you want to maintain your compliance with the DoD rules for their contractors. Whether 2.0 passes or not, CMMC is not going away.

    CMMC accreditation audits are expected to kick off soon, and there’s even some talks about incentivizing businesses who receive their CMMC certifications before it’s officially required. CMMC certification also lets your customers know you take securing their data seriously within your organization.

    Whether it’s 5 tiers found in the existing model or 3 tiers found in 2.0, the best place to start is in the first tier. These changes are easy to quickly implement and will lay the foundation for future cybersecurity improvements. At Valley Techlogic, we have experience helping businesses implement the requirements found within CMMC (as well as NIST, HIPAA, CIS and more).

    We can help your business self-certify and prepare for CMMC accreditation. We can quickly bring you to compliance with tier one and set goals for the more advanced levels.

    Over the next weeks we will talk about the goals found within tier one and beyond in this ongoing CMMC series. If you’re hoping to meet the qualifications for CMMC accreditation in 2022, schedule a meeting with us today to learn how we can help with the process.

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.

  • Cybersecurity Maturity Model Certification 2.0 has been announced, what it means for you and your business

    Cybersecurity Maturity Model Certification 2.0 has been announced, what it means for you and your business

    If you’re a contractor or subcontractor for the Department of Defense (DoD) you probably at least have an awareness of the evolving situation surrounding the CMMC (Cybersecurity Maturity Model Certification) program, or maybe you’ve even begun the self-assessment process.

    Announced summer of 2019, version 1.0 was released January 31st, 2020, and a 5 year roll out was planned to get DoD contractors and subcontractors compliant with the framework. The framework is based on the security controls found in the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, with many of the security controls found in CMMC having a direct correlation to a control found in NIST 800-171.

    While the initial CMMC framework was aimed at bringing defense contractors up to speed in their cybersecurity efforts to protect critical Controlled Unclassified Information (CUI), the use of the broad term CUI instead of the defense specific Covered Defense Information (CDI) phrase may indicate that this framework will extend beyond just defense contractors in the future.

    The controls found in NIST are applicable to businesses of all sizes and in all sectors so following the CMMC or NIST frameworks whether or not you’re defense contractor/subcontractor will mean your business will be well protected and compliant with rules and regulations set by your vendors, clients, and services for your business such as cybersecurity insurance.

    In it’s original iteration there were 5 maturity levels found in CMMC, with levels 1-3 really closely following NIST and 4-5 going beyond the scope of what NIST covers. They were described as “maturity levels” as they were meant to measure the maturity of the cybersecurity practices found within your organization.

    For most defense contractors, reaching level 3 of CMMC would be an ideal goal. Levels 4 and 5 covered practices outside the scope of most business’s and would require more specialized (and expensive) security practices. Even in version one of CMMC contractors were allowed to self-certify for maturity level 1, but beyond that would require outside certification. The waiting list to receive that certification is long, so planning to implement the required cybersecurity measures and getting on the waiting list to be certified ASAP is a good idea.

    Now, as of November 4th the DoD has announced an update to CMMC. Version 2 may be removing two of the levels and some of the security measures that were unique to CMMC framework, making the framework match NIST even more closely. Below is the chart we have created with the outlined changes as we know them and as of this posting.

    CMMC Version 1 and 2 Chart
    Click to view the full size.

    This is an evolving situation and as the rollout progresses it’s imperative that businesses that receive DoD contracts begin or continue to increase their efforts in becoming CMMC certified, which may mean drastically increasing your cybersecurity efforts across the board.

    Valley Techlogic has experience in helping businesses meet the goals found within the CMMC framework and we’re ready to help your business meet your certification and cybersecurity goals today. Click here to schedule a quick consultation to find out more.

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley TechLogic, adns, n IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.