Services for the Defense Industrial Base
CMMC 2.0 / NIST 800-171
Is Your Business Compliant?
The risks associated with doing business with small organizations has skyrocketed. Because of this, the the Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC). In recent months and years, the adoption of this model has accelerated throughout the DoD and many non-defense sectors of government.
Many Managed Service Providers (MSPs) cannot comply with CMMC security controls and requirements. Often times MSPs will outsource their implementation of CMMC controls resulting in miscommunication and increased downtime for business critical operations.
If you need to establish and maintain CMMC or 800-171 compliance, CorpInfoTech can get you there on time and with demonstrable results. Our unique assessment methodology allows for mapping between most common control frameworks including those required by the DoD and numerous regulatory agencies, including PCI and HIPPA.
CorpInfoTech’s Managed Services Are Fully
NIST Special Publication 800-171 (NIST 800-171)
Current Version: R2.0
The document can be directly viewed
This Special Publication was created specifically to address confidentiality concerns for federal data that resides on computer and information systems that are outside of the control of the federal government. Specifically, the information systems of 3rd party contractors and the organizations they sub-contract with.
NIST 800-171 outlines what steps should be taken by non-federal entities to secure Controlled Unclassified Information (CUI). It breaks these steps into fourteen families of security controls.
The document closely aligns with the catalog of security controls specified by both NIST SP800-53 and ISO 27001. Ultimately, NIST 800-171 requires an organization to create a System Security Plan (SSP) that details the technical boundaries in which CUI will be stored, accessed, and processed. Additionally, the SSP must detail how an organization meets security requirements of SP 800-171, how technical systems that are outside of the CUI boundaries (including that of 3rd party services) interact with the organization, and the relationships between technical systems as viewed by the security requirements of SP 800-171.
Once these elements are formalized and codified into a SSP, SP 800-171 goes on to require that an organization identify any gaps in coverage (“mapping”) between the required security controls and those that are in-place and in-effect.
Importantly, only security controls that are in-place are considered – there’s no credit or consideration given for a future-state. This gap-analysis must meet several basic requirements that include identifying a prioritized order
by which all gaps will be closed, identifying a date by which each gap will be closed, and naming an individual within the organization as the responsible party to close each gap. This set of information comprises the organization’s
Plan of Action and Milestones (POA&M or POAM).
Cybersecurity Maturity Model Certification (CMMC)
Current Version: v2.0
The CMMC, which has three levels of certification ranging from “Foundational” to “Expert”, was implemented to increase the cybersecurity posture of the U.E. Government’s supply-chain. The current DFARS (section 252.204-7020) clause does not require third-party assessments, contractors may self-attest that they have complied with NIST SP 800-171. CMMC, however, will require independent, third-party assessments in order to achieve certification.
A Phased Rollout
The implementation of CMMC in Department of Defense contracts was a hot topic when the model first started gaining interest. There were many unanswered questions, like What if I’m 3 years into a 5-year contract?
Fortunately, the governing agencies answered some insight into these questions. The first, and most important thing to note, is the set date that we can expect to see a CMMC requirement on all contracts and solicitation from the DoD: May 2023.
Even with that date firmly established, there is a still a chance your contract will come under the scope of a CMMC clause requiring certification before that date. CMMC clauses are expected to be added to the most critical contracts over the next few years leading up to May 2023, when every DoD contract will contain a CMMC requirement. Each year, expect to see more and more contracts with the CMMC clause in them.
The Bottom Line: While we are at least a year away before CMMC is required in all contracts, it is inevitable, and you could find yourself facing a CMMC requirement much earlier than that. If you are involved in manufacturing or services that relate to weapons, space, or military communications, expect this clause sooner than later.
Obtaining CMMC certification has become a topic of much confusion and indirect information. Here are a few things that we know for sure.
At the time of publication (10/2021) there is not a single CMMC certified company in existence. An organization called “The Accreditation Body” (CMMC-AB) have begun the process of accrediting organizations and individuals who are able to provide the qualified assessments that can result in CMMC certifications.
C3PAOs (which are the companies that will conduct and oversee individual assessments) and RPOs (which are the organizations that will help companies remedy gaps and manage ongoing compliance) have started to undergo their own CMMC level 3 assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). In order for these C3PAOs/RPOs to start conducting assessments of companies, they will need to pass their own assessments with DIBCAC.
Importantly, no 3rd Party Organization, regardless of claim, has the ability to grant a CMMC certification yet. They can perform gap-assessments, prepare documents, create evidence, manage policies, and everything in-between, but they are not able to grant certification yet.
DFARS 252-400 governs the current self-reporting and self-assessment by contractors of their complance with NIST 800-171 and related Controlled Unclassified Information (CUI) security controls.
This policy section applies to most all companies doing business with the DoD (and their related entities). It is not CMMC but it does allow contract managers (officers) to specify what NIST 800-171 requirements a company must comply.