Services for the Defense Industrial Base
Your Business is Unique!
The risks associated with doing business with small organizations has skyrocketed. Because of this, the the Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC). In recent months and years, the
adoption of this model has accelerated throughout the DoD and many non-defense sectors of government.
Many Managed Service Providers (MSPs) cannot comply with CMMC security controls and requirements. Often it is the tools, software, and lack of processes employed by the MSP that cause it to fail compliance.
If you need to establish and maintain CMMC or 800-171 compliance, We can get you there on a budget, on time, and with demonstrable results. Our unique assessment methodology allows for mapping between most common control frameworks including those required by the DoD and numerous regulatory agencies, including PCI and HIPAA.
CIT doesn’t oversell or push requirements that you don’t need, we secure you for your unique business needs and information assets!
NIST Special Publication 800-171 (NIST 800-171)
Current Version: R2.0
The document can be directly viewed
This Special Publication was created specifically to address confidentiality concerns for federal data that resides on computer and information systems that are outside of the control of the federal government. Specifically, the information systems of 3rd party contractors and the organizations they sub-contract with.
NIST 800-171 outlines what steps should be taken by non-federal entities to secure Controlled Unclassified Information (CUI). It breaks these steps into fourteen families of security controls.
The document closely aligns with the catalog of security controls specified by both NIST SP800-53 and ISO 27001. Ultimately, NIST 800-171 requires an organization to create a System Security Plan (SSP) that details the technical boundaries in which CUI will be stored, accessed, and processed. Additionally, the SSP must detail how an organization meets security requirements of SP 800-171, how technical systems that are outside of the CUI boundaries (including that of 3rd party services) interact with the organization, and the relationships between technical systems as viewed by the security requirements of SP 800-171.
Once these elements are formalized and codified into a SSP, SP 800-171 goes on to require that an organization identify any gaps in coverage (“mapping”) between the required security controls and those that are in-place and in-effect.
Importantly, only security controls that are in-place are considered – there’s no credit or consideration given for a future-state. This gap-analysis must meet several basic requirements that include identifying a prioritized
order by which all gaps will be closed, identifying a date by which each gap will be closed, and naming an individual within the organization as the responsible party to close each gap. This set of information comprises
the organization’s Plan of Action and Milestones (POA&M or POAM).
Cybersecurity Maturity Model Certification (CMMC)
Current Version: v2.0
The CMMC, which has five levels of certification ranging from “Basic Cyber Hygiene” to “State of the Art”, was implemented to increase the cybersecurity posture of the U.E. Government’s supply-chain. The current DFARS (section 252.204-7020) clause does not require third-party assessments, contractors may self-attest that they have complied with NIST SP 800-171. CMMC, however, will require independent, third-party assessments in order to achieve certification.
A Phased Rollout
The implementation of CMMC in Department of Defense contracts was a hot topic when the model first started gaining interest. There were many unanswered questions, like What if I’m 3 years into a 5-year contract?
Fortunately, the governing agencies answered some insight into these questions. The first, and most important thing to note, is the set date that we can expect to see a CMMC requirement on all contracts and solicitation from the DoD: October 1st, 2025.
Even with that date firmly established, there is a still a chance your contract will come under the scope of a CMMC clause requiring certification before that date. CMMC clauses are expected to be added to the most critical contracts over the next few years leading up to October 1st, 2025, when every DoD contract will contain a CMMC requirement. Each year, expect to see more and more contracts with the CMMC clause in them.
The Bottom Line: While there are several years before CMMC is required in all contracts, it is inevitable, and you could find yourself facing a CMMC requirement much earlier than that. If you are involved in manufacturing or services that relate to weapons, space, or military communications, expect this clause sooner than later.
Obtaining CMMC certification has become a topic of much confusion and indirect information. Here are a few things that we know for sure.
At the time of publication (10/2021) there is not a single CMMC certified company in existence. An organization called “The Accreditation Body” (CMMC-AB) have begun the process of accrediting organizations and individuals who are able to provide the qualified assessments that can result in CMMC certifications.
C3PAOs (which are the companies that will conduct and oversee individual assessments) and RPOs (which are the organizations that will help companies remedy gaps and manage ongoing compliance) have started to undergo their own CMMC level 3 assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). In order for these C3PAOs/RPOs to start conducting assessments of companies, they will need to pass their own assessments with DIBCAC.
Importantly, no 3rd Party Organization, regardless of claim, has the ability to grant a CMMC certification yet. They can perform gap-assessments, prepare documents, create evidence, manage policies, and everything in-between, but they are not able to grant certification yet.
DFARS 252-400 governs the current self-reporting and self-assessment by contractors of their complance with NIST 800-171 and related Controlled Unclassified Information (CUI) security controls.
This policy section applies to most all companies doing business with the DoD (and their related entities). It is not CMMC but it does allow contract managers (officers) to specify what NIST 800-171 requirements a company must comply.
What Does Your Business Really Need?
Have you been approached about DFARS 252.204 certifications or NIST 800-171? Have a lengthy questionnaire issues by your contracting officer or customer?
We can help you understand your requirements, submit accurate and timely information, and relieve the burden of uncertainty that surrounds such critical responses.
Instead of paying for something you may not need through an MSP who may not fully understand, CIT can help assess your real compliance needs!
Serious about Support
At CIT, we view technology support extending from the desktop through the datacenter and into the cloud. Regardless of how an organization defines “office”, we are here to equip, enable, and support the productive use of technology
to deliver on its mission and objectives.
Check out some of the recent articles we’ve published relating to the end-user community and equipping users to succeed in the modern business.