5 minute read
Know the CMMC Lingo
The path to compliance with CMMC is strewn with acronyms. Here are the ones you need to know:
CMMC 2.0. Cybersecurity Maturity Model Certification
Assurance that an organization has instituted the required cybersecurity practices and hardware to protect government data. Version 2.0 is the latest iteration of the mandated protocols.
CUI. Controlled Unclassified Information. Data created or possessed by the government, or another entity, related to products or services contracted to the DoD by a vendor.
C3PAO. Third-Party Assessor Organization
An organization certified to conduct an on-site investigation to determine that a vendor has become compliant with the requirements of CMMC.
Group’s Infosec Institute, a provider of CMMC certification courses. “They can then guide you through the process, give you pointers on what you need to do to get yourself ready, and what they will look for when they come to do their assessment. They’re very good at giving out that information.”
While costly, taking on the help of an outside firm ensures that the security program is thorough. However, the total cost remains a bit nebulous. “The DoD has been planning to provide a potential cost outline but has not yet done so,” said Jones.
Part of the expense can be mitigated by outsourcing compliance to an infrastructure provider offering both consulting services and a pre-built comprehensive technical solution in the form of a secure data enclave that satisfies CMMC requirements. This infrastructure provider will secure the data the DoD needs protected, said Jones. “The pro here is the solution can be less expensive; the con is that companies have a little less autonomy than if they did the projects on their own.”
Levels of Security
Whatever the solution path, a company’s first step is to determine in which compliance level of cyber maturity it belongs. Ranked from low to high in terms of required security protocols, here are the three levels specified by the CMMC:
Level 1 (Foundational)
Organizations in this group must protect Federal Contract Information (FCI)—a term which refers to non-public data contained in documents provided by the government for the development of a product or service. This level requires the lowest degree of security protocols since contract details are less sensitive.
Level 2 (Advanced)
These organizations must protect data that fall into the category of Controlled Unclassified Information (CUI). That term refers to sensitive government-owned data describing the products or services
DIB. The Defense Industrial Base.
The compendium of data controlled by the Department of Defense (DoD). Includes information about contracted products and services.
FCI. Federal Contract Information.
Non-public data that is part of a contract to develop a product or service for the government.
(POA&M). Plan of Action and Milestones.
A roadmap for bringing a noncompliant vendor into compliance with the requirements of CMMC. Subject to approval by the DoD. Companies may obtain more information about the CMMC program at the Department of Defense website: https://dodcio.defense.gov/CMMC/ under contract. Most spring manufacturers are likely to fall into Level 2, since details about specific types of springs produced in support of a DoD contract will likely be considered CUI.
Level 3 (Expert)
Organizations assigned the highest level of security sensitivity will likely be providing pure intellectual property such as software programs, the loss of which could cause significant damage to the DoD.
First Steps
To determine its level of security, the business must start by analyzing how much FCI and CUI it possesses. “FCI is fairly easy to determine, since it is clear which federal contracts are in effect,” said Jones. “CUI can be more difficult to identify.” Here’s where a practiced consultant will be of help.
After determining a company’s maturity level, the next step is to define the scope of the CMMC compliance project. This begins with an analysis of the security protocols in the organization’s current technical environment. The company can then design and carry out a program to bring those protocols into CMMC compliance.
There’s another dimension to the CMMC picture: staff training. “Decisions need to be made about who can interact with FCI and CUI data, and when and how they can do so,” said Jones. “Access must be restricted based on a business need to know. Does the CEO, for example, really need day-to-day access? Finally, those employees
How Complete is Your CMMC Program?
How close is your company to full compliance with CMMC? Find out by scoring 10 points for every “yes” answer to the following questions. Total your score and check your rating at the bottom of the sidebar.
1. Is your CMMC compliance program a company-wide effort rather than a specialized IT initiative?
2. Have you analyzed the security protocols currently in place in your company?
3. Have you designed a realistic plan to achieve compliance?
4. If you do not have a sufficient level of internal expertise, have you obtained help from a consulting firm experienced in CMMC?
5. If you have acquired the services of outside consultant, have you designated internal personnel to coordinate their efforts?
6. Have you analyzed the amount of FCI and CUI data your company possesses?
designated to put hands on the data must also be trained on the correct procedures.”
Self-Assessment
Once procedures have been put into place, the company normally undertakes a thorough self-assessment. Do all processes comply with CMMC standards? And if not, is there a plan in place to bring the operations into compliance within a reasonable time? That process can be outlined in a document called a Plan of Action and Milestones (POA&M). “The DoD will assess whether that POA&M is acceptable,” said Jones. Faced with a formidable project, spring manufacturers will need to marshal all available forces to bring their projects to completion. “The sooner you jump on it, the better off you’re going to be,” said Evans. “The biggest mistake companies can make is not taking CMMC compliance seriously and waiting until the deadline arrives to get a handle on things.”
Achieving CMMC compliance is not a one-and-done affair, added Jones. “Organizations must continuously safeguard their CUI and improve their data security processes to make sure only the right people have access to their protected information.”
It’s an all-hands-on-deck affair. The entire company must get aboard the CMMC bandwagon. “Executive buy-in is critical,” said Jones. “If a company tries to do CMMC compliance as a one-off IT initiative rather than a company-wide project with sufficient managerial and budgetary support, it is doomed to failure.” n
7. Have you determined in which of the three compliance cybersecurity levels your company belongs?
8. Have you created a list of people who will need to have access to FCI and CUI data?
9. Have you trained individuals on how to access protected data in a secure manner that conforms to CMMC?
10. If you have completed your compliance program, have you conducted a thorough self-assessment in preparation for a visit by an assessor from an authorized CMMC accreditation body? What’s your score? 80 or more: Congratulations. You have gone a long way toward achieving the level of security required to sell to the DoD. Between 60 and 80: It’s time to light a fire under your CMMC compliance program. Below 60: Your business is at risk. Act on the suggestions in the accompanying story.
