CMMC and the Long Way Home

December 31, 2021

If you are working as a defense contractor, you will remember December 31, 2017 as the deadline to meet specific cybersecurity requirements applicable to the Defense Industrial Base (DIB) under DFARS 252.204-7012. The regulation mandated compliance with NIST 800-171, evidence of corporate system security plan (SSP) and a Plan of Action and Milestones (POAM) – outlining the company security strategy and the plan to implement and remediate any shortcomings.

In following years, the Cybersecurity Maturity Model Certification (CMMC) effort was unveiled as the DoD regulation applicable to contractors holding controlled unclassified information (CUI), augmenting the NIST 800-171 controls with additional regulations. The new controls were costly to implement, loosely defined and did not allow a company to carry a POAM with ‘Planned’ security implementations. CMMC (L3) was an all or nothing implementation and a third-party assessment challenge for companies of any size, but especially for smalls with tighter budgets.

Last month, the Department of Defense (DoD) evolved the CMMC approach, releasing the new and improved CMMC 2.0 guidelines. CMMC 2.0 is a three-tiered model, requiring a mostly self-assessed implementation of those same NIST 800-171 safeguarding requirements–already familiar to contractors holding “Covered Defense Information” (CDI) under DFARS 252.204-7012.

With this recent update, we are back to where we started and the familiar 110 controls – and it was definitely the long way home. The CMMC meandering proved to be a grand distraction this year but regardless of the journey, the destination remains the same. DIB contractors are still required to implement solid cybersecurity practices to protect information and the gold standard for that is still NIST 800-171. Kudos to those companies that met the requirement on time, 4 years ago. For those companies that haven’t yet, you’re late to the party and it may be time to start playing catch up.

The start of a new year is a great time to evaluate your security strategy and take actionable steps to fully align with CMMC 2.0 requirements. Here are some easy security resolutions you might consider as you head into 2022.

Schedule reviews and update your policies, procedures, and organizationally defined parameters. Whether you are self-assessing, or third party assessed, you must have artifacts indicating review sessions were conducted periodically.

Change default passwords and verify any new devices in your network do not have lingering default configurations. This includes anything connected to the internet such as Internet of Things (IoT) devices.

Plan for cybersecurity awareness training, with a focus on phishing attacks and the risks of ransomware at home and at work. Consider testing your employees with email phishing campaigns.

Review your physical asset inventory and vulnerability reports for all corporate assets and push out updates across all devices, applications, and browsers. Air gap or isolate anything that cannot be updated.

Verify multi-factor authentication is enabled and enforced on all devices. MFA adds an extra layer of defense in protecting assets, accounts and sensitive information. About 80% of data breaches are caused by password compromise so this is an easy win.

Want to learn more? Contact us today to learn more about how we can protect your business in the new year.