A Practical Guide to Next Steps of the Pentagon’s Vendor Cyber Certification Program

LeoWolfert/Shutterstock.com

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
By Bret C. Cohen,
CEO, Tier 1 Cyber

By Bret C. Cohen

|

Kicking your cybersecurity can down the road is no longer an option.

With the release of the Defense Department’s Cybersecurity Maturity Model Certification 0.6, there are new guidelines that will require defense contractors to act now to prepare. Instead of a technical summary of the 90-page guidance, here are the steps businesses can take today, to be ready for January 2020.

First, Time is of the Essence

The department identified cybersecurity weaknesses in the supply chain is a threat to the economy and national intelligence. In response, the department is implementing a process whereby all 300,000-plus defense contractors—large and small, primes and subs—are required to be CMMC certified in order to bid on new contracts. The Pentagon has confirmed that cybersecurity is the fourth evaluation criteria for all new contracts.

The CMMC model has five defined levels of cybersecurity preparedness ranging from basic cybersecurity hygiene to proactive and advanced levels. The certification must be performed by a third party and it is partially reimbursable. Contractors will no longer be able to self-certify.

Time is of the essence, as the final rule is anticipated in January 2020 with a June 2020 effective date. However, since CMMC requires both technical practices and process maturity, the sooner contractors improve their cybersecurity preparedness the better.

Process Maturity is the Greatest Hurdle

Defense’s sixth version of its CMMC guidance was released Nov. 8 and clearly defined the steps contractors need to take for Levels 1-3 (guidance for Levels 4 and 5 will be released later). All organizations must meet technical practices and process maturity across 17 cybersecurity domains: access control, assess management, audit and accountability, awareness and training, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, recovery, risk management, security assessment, situational awareness, system and communications protections, and system and information integrity.

The technical practices are clearly articulated in the guidance across the 17 domains. Depending on the level of the organization, practices include implementing numerous standards under 48 CFR 52.204-21 and NIST SP 800-171.

The process maturity is “the extent of institutionalization of practices at an organization.” Depending on the level of the organization, cybersecurity processes must be established, documented, implemented, reviewed, planned and “adequately resourced.” Each of the 17 domains will require meeting the process maturity standards.  

Practical Steps to Prepare for CMMC and Beyond 

Now that the CMMC guidance is out all defense contractors should be taking the following steps to prepare: 

  • Assessment of Current Cybersecurity: Every organization should assess if it is currently meeting the technical and process maturity standards in CMMC. Furthermore, defense contractors are often subject to additional contractual obligations and regulatory standards related to cybersecurity and data protection/privacy. Knowing your organization’s current preparedness is good business and essential risk management.
  • Vulnerability Remediation: As part of your cybersecurity assessment, businesses should identify vulnerabilities and compliance gaps in CMMC and broader areas. A plan to remediate the gaps should be created and implemented. 
  • Process Maturity: Creating, documenting, implementing, training and confirming cybersecurity processes take time. The sooner organizations set up a system to create a history of process maturity, the better prepared they will be to not only satisfy CMMC but also be more prepared for a cyber event.
  • Plan for Adequate Resources: CMMC process maturity for Levels 3 and above requires the provision of “adequate resources” for the controls in the 17 domains. Organizations should evaluate their existing resources and consider if additional resources are warranted. The department has made this requirement purposefully vague, so expertise with its cybersecurity expectations is essential for preparing.
  • Culture of Cybersecurity:  The Pentagon has expressly stated that CMMC will evolve over time and is only the first line of defense for contractors’ overall cybersecurity program. Integrating a culture of cybersecurity throughout all aspects of the business is essential to mitigate risks and minimize impacts if a cyber breach occurs. Recall the startling statistic from IBM, that 29.2% of all businesses should anticipate a cyber event within the next two years.

Don’t Wait – Act Now 

Kicking your cybersecurity can down the road is no longer an option. Internal resources are not your best option since they are inefficient and often lack the interdisciplinary expertise to adequately address your cybersecurity. To be best prepared for these businesses changing regulations, experts need to be brought into the fold as soon as possible, and prepare your company for what lays ahead in the new year.

Bret C. Cohen is the chief executive officer of Tier 1 Cyber.

NEXT STORY: To Stop a Tech Apocalypse We Need Ethics and the Arts

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.