The CMMC started within the Department of Defense (DoD) to reduce the theft of military intelligence, but as expected, it doesn’t look like it will be long before it spreads to other sectors. There’s interest in amending Sarbanes-Oxley to include CMMC, which will impact the financial sector. Don’t fear this is just an additional burden – the CMMC model is set up to be clearer and easier to implement. Standardization in security compliance is a win for businesses trying to juggle multiple requirements.
As you may know, the final guidelines were published in January 2020 and targeted the summer for enforcement. We all wondered how the COVID-19 crisis would impact the rollout planned. We learned this month that it will NOT slow down July 1, 2020 enforcement date. The rollout is a “crawl-walk-run” plan and the audit process will utilize video conferencing and on-site surveys following any protective guidelines. If you have a contract up for renewal in the coming year, you need to be prepared.
CUI (Controlled Unclassified Information) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.*
A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at https://www.archives.gov/cui
If you DO NOT handle CUI under your DoD Contracts, any contract renewals will most likely require Level 1. All companies conducting business with the DoD will require some level of CMMC.
If you DO handle CUI under your DoD Contracts, any contract renewals will require at least Level 3. Level 2 is only an interim step in your efforts to prove CMMC Level 3.
It is best to start with understanding your current state and how it compares to the desired level requirements. Where you THINK you stand is often very different from where you actually stand. One VERY IMPORTANT change in what you are used to – there are NO POA&M (Plan of Action and Milestones). You must reach all requirements before you are considered certified. There’s no “we are working on it”.
Most companies benefit from partnering with a company well educated in cybersecurity and compliance. It seems every IT company says they do the same thing, whether they have 5 employees or 50. Can that be true? No, but how can you tell?
It’s hard to understand the difference in the quality of staff, although experience and certifications can be a good indicator. As for cybersecurity and compliance, measure your partners against this checklist.
Experience in Risk Assessments mapped to compliance standards.
There’s a lot of information out there, just like this post. Be sure to go straight to the source, that is what we do. *This is a great FAQ about CMMC: https://www.acq.osd.mil/cmmc/faq.html
Katie Arrington, chief information security officer for acquisition with the D0D, is the architect behind the model. Look for webinars featuring Katie.
As you may suspect, The AME Group security division provides a broad range of services including free consultations. Contact Us to engage our security team.