If you’re a defense industrial base (DIB) contractor, you’re already aware you need to meet compliance requirements in the new CMMC system, which goes live May 2023. Most government contractors are required to meet CMMC Level 2.
The bad news is that it can be a complex journey to show you are compliant in how you protect Controlled Unclassified Information (CUI).
The good news is that 1) if you’ve already been following NIST 800-171 guidelines, you’re well on your way to CMMC Level 2, and 2) if not, you can start implementing some things now that will make the actual compliance process easier.
Self-assess: The Interim Rule allows you to self-assess, so you can get started on some of this work yourself. (I wrote about this when the interim rule came out.)
Put in place what you can now: As I mentioned above, NIST 800-171 is a solid place to start. Here are some simple places to begin:
- Access controls: Who has access to data and who is authorized to do so? Start documenting as much as you can.
- Awareness and training: Your staff should be trained on CUI handling, as well as how to spot and prevent cyber and insider threats.
- Incident response: Document what happens if you have an incident. (Our checklist is a great resource.)
- Media protection: Ensure secure handling of backups, external drives, and backup equipment.
- Physical protection: Make sure only authorized personnel have access to physical spaces where there is CUI.
- Risk assessment: Conduct pen testing and get a handle on where you’re vulnerable. (You can read more about that here.)
- Security assessment: Verify that your security procedures are in place and working. (This is another place to start documenting your procedures.)
Of course, we here at Duffy Compliance can guide you through any part of the above as well as your entire compliance journey. If you want to connect to see what this means for your organization, you can easily set up a time with me here.