Whatโs New in CMMC | Column 7
โWhatโs New in CMMCโ is a regular column from MxD explaining aspects of the CMMC 2.0 framework.
With the U.S. Department of Defense aiming to get Cybersecurity Maturity Model Certification (CMMC) requirements into contracts by next May, manufacturers and suppliers who will need Level 2 compliance are being urged to prepare now. And that includes getting ready to pass a thirdโparty assessment.
As Defense Department officials note, CMMC 2.0 details are not yet final. The three-tiered manufacturing cybersecurity program is still making its way through the federal rulemaking process.
But the DOD has warned that thousands more companies will likely need third-party assessments to comply with CMMC Level 2 than previously estimated. And waiting to get started is not a good idea, officials say.ย ย
Many small and medium-size organizations in the defense industrial base have never done such an assessment, said Laura รlan, MxDโs senior director of cybersecurity, โwhich is why preparing now is absolutely necessary.โ
CMMC 2.0 Level 2, which is for contractors that handle controlled unclassified information (CUI), currently has 110 requirements. That compares to fewer than 20 requirements in CMMC Level 1.
The Level 2 requirements are aligned with NIST SP 800-171, the NIST Special Publication on requirements to protect CUI. To demonstrate compliance, most Level 2 contractors will likely need to pass a third-party audit every three years, plus pledge annually that they are complying.
To pass an auditorโs assessment, manufacturers must be able to do three things, รlan says:
- Declare that they comply with each requirement.
- Have the evidence, like logs and policy documents, to back up their statements.
- Demonstrate the effectiveness of any mechanism used for compliance.
For example, a contractor may have to prove that all employees with access to CUI use multifactor authentication. That means having policy documents available as well as audit logs that show network access. And in some cases, it would mean actually demonstrating that the multifactor authentication works as itโs supposed to โ blocking anyone who does not provide additional verification.
Or a contractor may have to prove the effectiveness of an intrusion-detection system that relies on sensors. Who manufactures those sensors? Who monitors those sensor logs? If itโs a security service provider that does the monitoring, companies should be prepared to securely share the type of reports received. To prove the system works, a contractor can show that there have been no security incidents over a set time period, like a year.
To get assessment-ready, รlan recommends creating a checklist with each requirement and the name of the staff member responsible for it. An information technology employee may be responsible for multifactor-authentication applications. A facilities manager may be responsible for ensuring building security. There may be more than one person responsible for protecting removable media.
โThis checklist allows you to enrich your proof by making sure you have an individual identified in your organization who really is a subject matter expert on that compliance activity,โ รlan said.
โThe effort to get audit-ready,โ she said, โincreases the likelihood of audit success.โ
Meanwhile, manufacturers are expected to learn in March if a CMMC interim rule has been granted, allowing its inclusion in contracts 60 days later. If that interim rule is not approved, CMMC would not be in contracts until May 2024.
Despite the possible long runway, Defense officials say that waiting to start on cybersecurity readiness and CMMC compliance is a bad idea.
โI donโt think itโs prudent to wait,โ David McKeown, deputy Department of Defense chief information officer for cybersecurity, said during a June webinar hosted by cybersecurity company PreVeil. The NIST 800-171 requirements that align with CMMC 2.0 Level 2 โhave been around for a long time. โฆ Full adoption should have begun long ago, and I donโt think [contractors] should wait any longer to get rolling on this.โ
Stacy Bostjanick, who heads CMMC implementation for the Department of Defense,ย echoed McKeownโs comments on the โCountdown to CMMC Complianceโ webinar.ย
โWe need to get on top of this right now,โ Bostjanick said, adding that cybersecurity measures donโt just protect Defense Department data. They protect individual companies as well.
Cybercriminals are attacking U.S. companies โon a daily, hourly, moment-by-moment basis,โ she said. โCompanies need to be secure.โ
MxDโs Cyber Marketplace offers assessments that provide organizations with vetted, market-ready cybersecurity solutions. Visit the marketplace for more information.
What’s New in CMMC Series:
Article #1: CMMC 2.0 Cybersecurity Framework: What to Expect
Article #2: CMMC 2.0: Why Manufacturers Should Get Started Now
Article #3: CMMC 2.0: Start With Scoping
Article #4: CMMC 2.0: The High Cost of Skipping Cyber Certification
Article #5: CMMC 2.0: Questions to Ask When Identifying Assets
