CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC)
As of January, 2020, the federal government has moved to an improved version of CUI called the Cybersecurity Maturity Model Certification (CMMC), which now includes a verification component.
Every federal contractor that stores, processes, or transmits Federal Contract Information (FCI) or CDI is considered a covered entity and therefore required to adhere to the CMMC regulation. This requirement also includes their subcontractors and supply chain that share in FCI and CDI.
CMMC is designed to measure the cybersecurity maturity of an organization through five different levels. The levels consist of processes and cybersecurity best practices, frameworks, and standards from the community. Each level has a set of processes and practices, which build on the previous level.
The 5 Levels
- Level 1 is equivalent to the entire safeguard requirements from FAR Clause 52.204-21
- Level 2 builds on Level 1 and also includes the documentation of the 14 families of controls [domains] found in NIST SP 800-171
- Level 3 builds on Level 1 & 2 and now includes all the safeguards requirements from NIST SP 800-171 including a System Security Plan (SSP) and Plan of Action and Milestones (POAM)
- Level 4 continues this process through reviewing and measuring the security control activities for effectiveness
- Level 5 continues the process even further with optimizing the security controls across all applicable components in the organization
So how do you achieve CMMC compliance?
And which level do you need? Unlike in the past, companies must now have a third-party validate their CMMC compliance. Basically, compliance requirement is now necessary to continue to do business in this industry.
We understand this is not your business. It is ours.
Our objective to our clients is simple:
We relieve the stress of trying to become compliant on your own.
We provide solutions ideally suited to remove the additional tasks that burden the client such as:
- Tracking users on their awareness training process or phishing exercises
- Conducting vulnerability assessments and remediation priorities
- Near real-time review of continuous security monitoring solutions
The Cybersecurity Industry
There are many cybersecurity companies making changes to their specialties to try to help organizations comply with the CMMC regulation.
And just like every industry, just because a company is in a similar industry and provides a product or specialized service on a particular topic, it doesn’t mean they are qualified to conduct a new business practice.
You need someone that is experienced in providing the proper controls and documentation that you will need to continue to work on federal contracts.
You need experienced subject matter experts.
What Sets Duffy Compliance Services Apart
We have a proven methodology that sets us apart. Anyone can look at the compliance security requirements. The real power comes from knowing how to cover security requirements using existing infrastructures and new technologies that don’t require additional staff commitment. We know how to put them in place. We have created a proprietary three-phase approach to understand where you are, get you compliant, and then keep you there.
Gap Analysis (Finding out what you need to be in compliance)
To know where you are in order to know the path to get to where you need to be. Then you need a plan to get there (Phase 2).
Remediation Process (Getting you to compliance)
Using the plan in Phase 1, conduct the necessary to the changes, such as encryption, intrusion detection, system monitoring, and role-based access controls.
Many programs end here. However, we add Phase 3 because security is a process, not a single event.
Security Maintenance (Keeping you in compliance)
Ensure periodic controls are active and in place. Some examples of these controls include continuous monitoring, scheduled vulnerability assessment, reviews of policies and procedures, table-top exercises, and security awareness training and phishing exercises.
What are the penalties for not complying?
Penalties for non-compliance are simple but effective. If you are not compliant, you are no longer permitted to bid on new government contracts. If you are already awarded or subcontracting to a contract that now requires CMMC certification, you will run the risk of being removed from those projects.
Provide your IT staff the support they need to be sure your data is safe.
Win and Retain Government Contracts
With a CMMC certification you are able to continue and pursue the government work you already are qualified to be engaged on.
Build your compliance package
The deliverables are the policies, procedures, tests, and tracking system of the CMMC compliance status all bundled in a “compliance package” that an auditor can use to confirm the organization is meeting the mandates required by the government to secure CUI data.
How do CMMC and CUI work together?
- CMMC has five levels of maturity. Level 1 is basic cybersecurity hygiene and requires only the protections as prescribe in the regulation. These controls are the minimum requirement to bid on federal contracts. This requirement is for federal contract information (FCI) provided by or generated for the Government under contract not intended for public release.
- CMMC Level 2 is the first maturity requirement for CUI material. This maturity level requires every security domain to be documented as policy. The intent is to establish the organizations expectations to plan and preform security activities and to relay those expectations to the organization.
- CMMC Level 3 is the second maturity level that fully implements the NIST 800-171 security controls. Level 3 also requires a system security plan (SSP) and a Plan of Actions and Milestones (POAM) to provide procedures that demonstrate security policies are being implemented appropriately.
Every organization looks forward to new business. Ensure your compliance is in effect before you lose the ability to bid on future government contract work.
The CMMC requirements apply to all components of the federal and non-federal information systems and organizations that possess, store or transmit FCI or CUI. If your organization provides protection or security for these areas, the requirement also applies.
You get peace of mind knowing that you can pass an audit. More importantly, you are properly protecting controlled information!
You are more aware of your own security posture and have a working plan to keep it protected.
Work with Prime Contractors
More Business Opportunity! You can work with prime contractors on CMMC bids where they can use your services.
Your clients and employees can see your dedication to protecting your business and its data. This discourages sloppy security practices across the enterprise.
Why Choose Duffy Compliance?
We bring decades of experience in implementing NIST security controls and best practices. We understand system security risk and how it affects system architecture. Our enterprise-level experience allows us to tailor solutions to your organization’s unique set of requirements that get you compliant with as little change and disruption as possible.
Duffy Compliance Services gives you peace of mind to know that your compliance effort is being professionally handled, and your data is safe and secure. There have been many times we have been called to an organization after a security breach or event. It is much more expensive to clean up a breach than it is to prevent one.
Duffy Compliance Services, a provider of cybersecurity consulting and compliance services is an approved Certified 3rd Party Assessor Organization (C3PAO) by the CMMC Accreditation Body. A C3PAO is authorized to schedule, manage, and provide assessments for organizations seeking to be CMMC compliant.
And if you want to learn more about CUI-SafeHarbor, our secure platform that provides small businesses and contractors an almost-instant turn-key CMMC compliance solution.