Cyber threats are continually on the rise and the DoD is taking measures to ensure the best security practices are in place. Contractors will soon be required to comply with the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) process. The intent of this process is to create security standards and requirements for contract awards.
While some DoD contracts already require some level of cybersecurity assurance, it is expected to be a requirement of all new DoD requests for proposals soon. This includes both prime contractors who engage directly with DoD, and any subcontractors who are contracted with the prime to provide fulfilment of those contracts.
What is CMMC?
CMMC, or "Cybersecurity Maturity Model Certification,” includes everything from basic to advanced security levels. The DoD created the CMMC process to ensure that companies bidding on defense contracts meet certain cybersecurity standards and requirements, with more rigor than NIST 800-171, and a requirement for third-party validation. NIST 800-171 only required self-attestation. Any company, business, or organization that does business with the DoD will be required to meet CMMC requirements. The implementation of these requirements can stretch from on premises data centers or private cloud, hosted private cloud, or into a cloud service provider’s accredited government cloud.
Across the 17 domains that make up the CMMC framework, there are three main areas of focus for CMMC compliance: technology, processes and documentation.
There are five CMMC levels used to measure a contractor’s cybersecurity practices:
- Level 1: Basic Cyber Hygiene for Practices and Performed for Processes
- Level 2: Intermediate Hygiene for Practices and Documented for Processes
- Level 3: Good Cyber Hygiene for Practices and Managed for Processes
- Level 4: Proactive for Practices and Reviewed for Processes
- Level 5: Advanced/Progressive for Practices and Optimizing for Processes
According to the DoD, “CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to certify basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.”
Each level has a set of processes and practices that contractors are assessed against. As they advance in their assessments in each domain, their overall certification to a level is achieved.
The DoD will have contract opportunities available at every certification level, so there will be some opportunities that only require a Level 1 certification, and others that will require a Level 5.
How can Red River help you comply with CMMC?
With five levels, 17 domains, 43 capabilities and 171 practices, the CMMC framework is complex. Red River can assess certain aspects of your organization’s current cybersecurity practices and make recommendations about the actions that will help with CMMC compliance, and then execute – or even better, automate – the areas where you need improvement.
Red River has expertise to help support your organization’s efforts to pursue CMMC compliance across several of the domains, such as access control, incident response and risk management to name a few. The Red River Security Practice team provides subject matter expertise to help keep your organization moving forward by delivering the highest levels of protection to your business systems, data assets and IT infrastructure. As organizations continue to migrate to the cloud, Red River leverages market leading continuous compliance toolsets to validate real time configurations within the cloud to verify CMMC controls are in place.
Red Rivers security solutions encompass risk management, compliance, security assessment services, cyber security solutions, network security, identity & access management solutions and customized vendor integration reference architectures. Our ongoing cybersecurity managed service offerings protect and secure end-users from malicious attacks, potential threats, and unauthorized distribution of organizational documents while keeping teams productive.
Working with Red River as soon as possible will help you adjust your cybersecurity infrastructure and build technology strategies to support your CMMC requirements and contribute to your continued success as a DoD contractor.