Tag: NIST 800-171

  • 2023 is coming, is your business CMMC ready?

    2023 is coming, is your business CMMC ready?

    For some Department of Defense (DoD) contractors, CMMC or Cybersecurity Maturity Model Certification compliance may be a looming figure that they’ve yet to address. If you’re one of the ones currently making headway on it, you may not be certain which level you need to reach for your business.

    CMMC version 2.0 was announced last November, and it seems as if that’s going to be the de facto model going forward. In version one there were 5 levels of CMMC compliance, which have now been reduced to 3. To put it simply, level 1 of the program remained the same, levels 2 and 3 were combined and levels 4 and 5 were also combined.

    This means if you were previously aiming for level 2 in the previous version of the program, you will now need to address topics in level 3 to be compliant.

    Level one or the Foundational Level is meant for who do not handle Federal Contract Information (FCI) data. The checklist features just 17 items, and your compliance is self-attested which means you do not need to have a formal CMMC testing done to be compliant with the program.

    Many DoD contractors though will fall into level 2 or the Advanced Level due to their handling of Controlled Unclassified Information (CUI), level 2 features 110 controls. All of CMMCs level 2 controls originate from NIST SP 800-171.

    With the announcement of version 2.0 it was also announced the additional CMMC specific controls would be removed. If your business has already been working towards compliance with NIST before CMMC was announced you’re in a perfect position to work towards your CMMC compliance goals.

    While 2.0 has not yet been signed into law, it was announced by the Pentagon last April that CMMC language would begin to start showing up in DoD contractors starting July 2023 – so the clock is definitely ticking if your business will be vying for those contracts.

    A small portion of businesses will be required to undertake the rigorous task of being compliant with level 3 of CMMC, or the Expert Level. It’s based on NIST-800-171 and 172 and has 134 requirements at the time of writing, many of which require specialized equipment and software.

    For both levels 2 and 3, audits will be required through the CMMC Accreditation Body (recently renamed Cyber-AB). Cyber-AB is an independent auditing body and we’ve been told the wait times to be audited are lengthy, though this will get a little better as the program gains more auditors. It’s still a good idea to make sure your business is ready and meets the compliance standards though especially as CMMC regulations continue to be rolled out ahead of the official release. You don’t want to be caught needing that proof of compliance to meet your contract requirements and not having it.

    The DoD has also indicated it would take a contractors level of CMMC compliance into consideration when choosing for their contracts – so not being compliant may not just put your existing contracts at risk it could cost you new ones as well.

    We have several articles explaining the levels and controls in more detail, here are our articles on levels one, two and three.

    If you’ve barely scratched the surface in your organization, you can still make changes that will put you in a better position when you begin to tackle it in earnest. Many of the requirements, especially those found in level one, is common sense advice for being safer online. You (and your employees) can work on these five items first:

    If after reviewing the information, you feel like you just need a hand to either cement cybersecurity processes you already have in place or have a partner in your CMMC goals, Valley Techlogic can help.

    We have firsthand knowledge of the CMMC program and helping clients become CMMC certified. Our tools will help you meet the requirements necessary and quickly get your business ready for the audit process.

    Make an appointment today for a free consultation to learn more.

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley Techlogic, an IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.

  • Cybersecurity Maturity Model Certification 2.0 has been announced, what it means for you and your business

    Cybersecurity Maturity Model Certification 2.0 has been announced, what it means for you and your business

    If you’re a contractor or subcontractor for the Department of Defense (DoD) you probably at least have an awareness of the evolving situation surrounding the CMMC (Cybersecurity Maturity Model Certification) program, or maybe you’ve even begun the self-assessment process.

    Announced summer of 2019, version 1.0 was released January 31st, 2020, and a 5 year roll out was planned to get DoD contractors and subcontractors compliant with the framework. The framework is based on the security controls found in the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, with many of the security controls found in CMMC having a direct correlation to a control found in NIST 800-171.

    While the initial CMMC framework was aimed at bringing defense contractors up to speed in their cybersecurity efforts to protect critical Controlled Unclassified Information (CUI), the use of the broad term CUI instead of the defense specific Covered Defense Information (CDI) phrase may indicate that this framework will extend beyond just defense contractors in the future.

    The controls found in NIST are applicable to businesses of all sizes and in all sectors so following the CMMC or NIST frameworks whether or not you’re defense contractor/subcontractor will mean your business will be well protected and compliant with rules and regulations set by your vendors, clients, and services for your business such as cybersecurity insurance.

    In it’s original iteration there were 5 maturity levels found in CMMC, with levels 1-3 really closely following NIST and 4-5 going beyond the scope of what NIST covers. They were described as “maturity levels” as they were meant to measure the maturity of the cybersecurity practices found within your organization.

    For most defense contractors, reaching level 3 of CMMC would be an ideal goal. Levels 4 and 5 covered practices outside the scope of most business’s and would require more specialized (and expensive) security practices. Even in version one of CMMC contractors were allowed to self-certify for maturity level 1, but beyond that would require outside certification. The waiting list to receive that certification is long, so planning to implement the required cybersecurity measures and getting on the waiting list to be certified ASAP is a good idea.

    Now, as of November 4th the DoD has announced an update to CMMC. Version 2 may be removing two of the levels and some of the security measures that were unique to CMMC framework, making the framework match NIST even more closely. Below is the chart we have created with the outlined changes as we know them and as of this posting.

    CMMC Version 1 and 2 Chart
    Click to view the full size.

    This is an evolving situation and as the rollout progresses it’s imperative that businesses that receive DoD contracts begin or continue to increase their efforts in becoming CMMC certified, which may mean drastically increasing your cybersecurity efforts across the board.

    Valley Techlogic has experience in helping businesses meet the goals found within the CMMC framework and we’re ready to help your business meet your certification and cybersecurity goals today. Click here to schedule a quick consultation to find out more.

    Looking for more to read? We suggest these other articles from our site.

    This article was powered by Valley TechLogic, adns, n IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.