Defense Cyber Manufacturing
Defense contractors are aware of the Defense Federal Acquisition Regulation Supplement (DFARS), which mandates that Department of Defense (DoD) contractors adopt cybersecurity standards that follow the NIST SP 800-171 cybersecurity framework. Due to slow adoption of the standards, the DoD has released the Cybersecurity Maturity Model Certification (CMMC) to ensure that the standards are being assessed properly and are adequate for addressing security requirements throughout the defense supply chain.
This means that CMMC will be a requirement for any company doing business with the DoD, as a prime contractor or lower-tier subcontractor. The key difference is that while DFARS 7012 allowed contractors to self-attest to NIST SP 800-171 compliance after winning a contract, CMMC requires them to be certified before the contract is awarded. With CMMC, contractors must be audited and certified before they can bid on RFPs. With five possible maturity levels, the CMMC is intended to safeguard Federal Contract Information (FCI) at Level 1, progress to protecting Controlled Unclassified Information (CUI) at Level 3 and reduce the risk of Advanced Persistent Threats (APT) to national security at Level 5.
Adopting Infor FedRAMP-authorized solutions that already implement the required security practices can provide an easier path to certification at a lower cost and may even enable smaller companies to target a higher CMMC maturity level.
Steps to CMMC Compliance
Contractors should begin preparing now for self-assessment and third-party certification. Successfully meeting CMMC level requirements may include investment in additional IT staff, migrating IT infrastructure, and evaluating different back office business systems, network solutions, or end user devices and software. In addition to additional resources, organizations will also need to produce and maintain extensive documentation of organizational standards, policies, and procedures as evidence of compliance.
Step 1: Identify your target maturity level
An organization’s target maturity level depends on current contracts and programs you’d like to bid on in the future. Both current contractors and those new to DoD programs should review the RFIs and RFPs expected in Fall 2020 to understand what maturity levels are being required for typical program roles.
“Work on projects requiring ITAR compliance? You need to achieve CMMC Level 3 certification, at a minimum”.
Step 2: Determine whether external security or compliance services are needed
Contractors need to consider the overall business impact and cost when deciding whether to pursue CMMC certification entirely inhouse or to engage external expertise and services. The quickest way to achieving CMMC certification may be to outsource some security and compliance activities to consultants or third-party IT solution vendors. The tools and skills required to achieve CMMC certification can mean a significant change in operating expenses, personnel, and administrative overhead.
“Organizations that find themselves facing one or more of the following circumstances should reach out to ITG our qualified third-party advisor”:
- May require Level 3 or above
- Are facing NIST SP 800-171 for the first time
- Have no dedicated security personnel
Step 3: Conduct a self-assessment and update security documentation
This step should help make the actual certification process go as efficiently as possible, providing contractors with a clear look at what security controls they need to implement, what processes they need to improve and what documentation they need to have in place to achieve certification. The self-assessment asks about security control implementation and evaluates whether the security controls are sufficiently documented, captured in policy, managed, and reviewed per each of the CMMC level requirements
“Reference the NIST Handbook 162, a self-assessment handbook for NIST SP 800-171 that uncovers baseline readiness to identify all gaps and inform development of a preliminary remediation plan for each. These plans need to be documented within a Plan of Action & Milestones (POA&M)”.
Step 4: Remediate gaps
The POA&M created in Step 3 serves as a to-do list to better organize, prioritize, and track the completion of all gap closure activities. Actions in the POA&M may require development of new organizational standards, policies, and procedures. Larger gaps may mean modifying the architecture of an organization’s IT infrastructure and procurement of new software and IT security solutions.
Step 5: Conduct CMMC readiness assessment
After completing the previous steps, organizations are ready to repeat their CMMC self-assessment as a final readiness check before the actual C3PAO audit. Organizations that have not used external services yet may consider doing so now to raise their level of confidence. This can also serve as a practice run for the actual audit.
“Repeat the self-assessment until all gaps and POA&M items have been addressed.