Cybersecurity Maturity Model Certification (CMMC) is undoubtedly the most complex cybersecurity framework and its implementation can be challenging. Here are some guidance on preparing for the audit – scoping the project, readiness assessment, how to reduce the cost etc.
Depending on your current environment and level of cyber hygiene, your company should plan for at least six months to achieve compliance. Here’s the link to our free CMMC readiness assessment, which will give you a high-level overview of your organization’s readiness for the CMMC certification
CMMC requirements will flow down to all subcontractors from prime contractors. All future RFPs will require adherence to various levels of CMMC. Government Contractors will have to pass a CMMC audit so they can become certified and continue to offer their products and services to the DoD. The required CMMC level will be a pass/fail evaluation at the proposal stage for contract awards. In general, a CMMC certificate will be valid for 3 years. Contracts will not be awarded to organizations that do not meet the required level.
The CMMC Model has 5 Levels with a number of defined Practices and Processes in each Level that you have to comply with to get certified at that level.
What is the deadline?
Questions have emerged as to whether that deadline would still stand with the COVID-19 crisis. On March 26th, 2020, the DoD announced that COVID-19 will not delay the implementation of the CMMC on contracts beginning July 1st, 2020.
This is based on recent updates and may change – Between June and September of 2020, the initial round of audits will begin for a select number of Department of Defense Programs/RFIs, with the required CMMC Levels identified. A CMMC 3rd Party Assessment Organization (C3PAO) will ask Defense Contractors to prove how they process, store and transmit Controlled Unclassified Information (CUI). Government Contractors will need to be certified to the required Level in order to receive and bid on the RFP.
The timing of Accreditation Audits is now projected to be Q4 2020 (Calendar) going forward, with RFI’s including CMMC references as early as June and RFPs including CMMC references by Q4.
What CMMC maturity level will you need to certify for?
The RFP/RFI will state what level the contractor must meet. If you manage Controlled Unclassified Information (CUI) in any way, you have to meet at least security level 3.
Not all government contractors deal with CUI. If you aren’t sure, ask your contracting officer or read the RFP. Examples of CUI are personally identifiable information, schematics of military equipment, sensitive information about schedules and personnel, and configuration documentation for government networks.
What effort is required to complete project tasks and evidence gathering?
There are three factors for estimating the cost and work involved with compliance.
How complex is the network you are evaluating?
Does your network already have secure configurations and security programs installed?
What CMMC level are you trying to meet?
Is it possible to isolate your information to fewer systems, fewer networks, or fewer users, while still fulfilling the terms of your contract? You don’t need to secure ALL computer systems for the entire company. You just need to secure the systems that store data (Controlled Unclassified Information) about the contract. Make the job easier by reducing your footprint.
Pouring over controls and analyzing infrastructure is a tedious and time-consuming process. If you involve an experienced SME at your organization who knows your environment well, this process will take less time.
Get a leg up on your CMMC audit preparation
Zartech’s solution and security advisors can guide you through the self-assessment process and help align your organization to the CMMC maturity level that you wish to certify for. You can leverage our tool, Cyberator to gather all required artifacts and complete the project tasks. Then schedule the CMMC auditor to conduct the certification. Assign the auditor a ‘view only’ access to the tool to review your self-assessment results with the artifacts/evidence and complete the verification. Cyberator drastically reduces the time and effort to prepare for a CMMC audit!Click here for additional details.
I recently did a webinar for the Society for Information Management’s (SIM) Cybersecurity SIG group on the topic of ‘Mature and Cost-Effective Alignment of Information Security Programs to Strategic Business Objectives’. The recording of the webinar can be found here.
Here’s the abstract of the discussion: In a typical organization, the CEO has a list of business goals and objectives that trickle down through chain of leadership. Information security supports the business in achieving these objectives. To begin the development of a strategic plan for security it is essential to understand the business objectives and the key elements of the information security function. Business objectives can be analyzed to identify dependencies on security. The security objectives can then be defined in terms of the business objectives. Weaknesses in information security can jeopardize an organization’s mission, threaten its profitability, and invite fines and penalties from regulatory bodies. As IT leaders, we need a clear vision for security, the ability to communicate its relevance and the managerial discipline to deliver its full value. A more effective means of managing the impact that IT risk can have on the business involves taking a holistic approach.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years!
The European Union’s General Data Protection Regulation (GDPR) came into force on May 25, 2018 and has been described as the most significant overhaul to data protection laws in a generation. The regulation applies to organizations worldwide that offer goods or services to individuals in the EU, and the penalties for non-compliance are severe. In replacing the outdated 1995 Data Protection Directive, GDPR recognizes the impact that the Internet and other new technologies have had on the data we hold and how we share it. The European Union is forcing companies to view this as an opportunity to develop and implement data governance, protection and privacy in line with consumer expectations. The Penalties can be severe for non-compliance – up to 20 million Euros or 4% of group worldwide turnover (whichever is greater).
GDPR applies to both data controllers and data processors and penalties can be imposed on one or both parties depending on their degree of responsibility. The data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed. And the data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees).
Among other things, organizations will be required to maintain a data breach detection plan, regularly evaluate the effectiveness of security practices, and document evidence of compliance. However, GDPR doesn’t provide specific technical direction, meaning that organizations will be independently responsible for establishing and maintaining the best practices needed to uphold outlined data security requirements.
We have a very comprehensive bot that does a great job of fully explaining the law, click the icon on the bottom right of your screen.
Zartech can help you with being GDPR compliant, contact us today.
Cyber risk mitigation is a journey, not a destination. With each step in the process, the organization has an incrementally better cyber risk mitigation posture. As the cyber threat landscape changes – with new risks, new vulnerabilities, new businesses, the journey continues.