What CMMC Updates Should Your Enterprise Be Making?
Contractors and companies working in the military supply chain have been volunteered to evolve with the federal government’s thinking on cybersecurity. After rolling out Cybersecurity Maturity Model Certification (CMMC) to near completion under the previous administration, the Pentagon tapped the brakes and tasked businesses with adopting a new cybersecurity model, affectionately known as CMMC 2.0.
Like the first go-round, deadlines are — again — fast approaching. Business leaders who wish to profit from potentially lucrative U.S. Department of Defense (DoD) contracts must make CMMC updates or find themselves on the outside of profitable government contracts.
Pentagon’s Advanced Cybersecurity Efforts Prove Justified
The federal bureaucracy may not operate with the consistency it demands of hard-working people in the military industrial base. But the reasons for insisting on a single cybersecurity standard that deters, detects and repels hackers sponsored by our adversaries hold true. In 2023, a group of hackers affiliated with Iran’s Islamic Revolutionary Guards Corps breached the Municipal Water Authority of Aliquippa, PA, according to the Associated Press. The group essentially tested its ability to upend fresh water supplies and penetrate deeper into the U.S. energy sector. And according to the Cybersecurity and Infrastructure Security Agency (CISA), these are areas where Russian hackers train their sights.
- Command, control, communications and combat systems.
- Intelligence, surveillance, reconnaissance and targeting.
- Weapons and missile development.
- Vehicle and aircraft design.
- Software development, data analytics, computers and logistics.
The CISA also indicates that over a two-year span, Russian-sponsored cybercriminals targeted direct military contractors, mid-sized organizations and small businesses that operated in the supply chain. Enemy hackers often try to uncover fragments of information from emails, contractors and even invoices that may be revealing pieces of America’s national security puzzle.
Tactics Used by Hostile Threat Actors
To say that threats used by hackers from hostile nations like Russia, Iran or China are persistent would be something of an understatement. Cable news draws viewer attention by showing hot war activity in Ukraine or the Middle East. But in the quiet dark of night, a global informational conflict plays out over data. These are ways foreign hackers try to gain access to our military defenses and top-secret developments.
- Reconnaissance: Rogue countries frequently attempt brute force hacks to penetrate networks in the military industrial base. Cybercriminals also use brute force to uncover usernames and passwords, so they can pillage data.
- External Remote Activity: Hackers continue to search for vulnerabilities in virtual private networks (VPNs). These are the preferred cybersecurity options for DoD contractors when communicating remotely.
- Phishing & Spear Phishing: A tried-and-true method used by fraudsters and low-level hackers, electronic messages continue to trip up everyday people. A single mistake can allow spyware to enter a military industrial base system.
- Email Collection: Armed with legitimate login credentials in hand, enemy-state hackers can export thousands of electronic communications from a given network.
There are seemingly countless emerging techniques used by hackers of every skill level. While business leaders and your company’s chief information security officer (CISO) may be annoyed at the federal bureaucracy for moving the CMMC goal posts, so to speak, a sense of urgency exists to make CMMC updates right now.
Critical Differences Between CMMC 1.0 and 2.0
The DoD moved away from allowing companies to “self-attest” to their cybersecurity compliance back in 2019. The change in philosophy was purely pragmatic. That’s largely because companies too often fail to maintain mandated cybersecurity defenses. The Pentagon routinely discovered this problem following devastating data breaches orchestrated by America’s enemies. Penalizing a defense contractor or supply chain business after the fact did nothing to undo the damage. By implementing a single standard that calls for proof of compliance, valuable and sensitive information would be more secure going forward. These are ways CMMC has changed from its initial incarnation.
The CMMC updates from 1.0 to 2.0 are relatively straightforward. The tiered cybersecurity system began with five pillars that were later reduced to three. The approach to avoiding self-assessments differs substantially and the CMMC 2.0 version may present some confusion in this regard. The way assessments are conducted ranks among the critical differences that should concern businesses in America’s military industrial base.
Under the CMMC 2.0 standard, companies that fall under Tier 1 and some of the Tier 2 operations can test their own cybersecurity defenses. Using objective standards, qualifying organizations are then required to file their results for the federal government to review. Other Tier 2 and all Tier 3 operations are required to undergo third-party assessments. The scores will also be filed with the federal government. Failing to meet the CMMC 2.0 requirements can sideline a business and void its ability to bid on lucrative DoD contracts.
If your operation stores or transmits Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), it will likely be held to the CMMC 2.0 mandate. It’s also important to remember that the Pentagon is not necessarily interested in distinctions between contractors and subcontractors. This cybersecurity directive focuses almost exclusively on protecting data.
CMMC Updates Include Phased Approach
The DoD has adopted a position that it will gradually phase in various aspects of CMMC 2.0. Although companies — technically — have until the first quarter of 2025 to provide proof of compliance, contractors and peripheral outfits are expected to meet reasonably compliant cybersecurity standards right now. These are CMMC updates to the timeline decision-makers need to know.
Phase 1
The Pentagon expects all companies to provide proof of CMMC Level 1 self-assessments to receive DoD contracts and work during the first quarter of 2025. The feds have also indicated they can exercise discretion involving CMMC Level 1 and Level 2 adherence before awarding a DoD contract. Another caveat company leaders need to be keenly aware of is the fact the DoD can revise its position and require a third-party assessment before allowing a bid or contract award to move forward.
Phase 2
The DoD may — at its discretion — make a Level 2 third-party CMMC audit a contract award prerequisite within six months of Phase 1. Compounding the challenges of business leaders, the DoD can, again, at its discretion, elevate the standards from Level 2 to Level 3. That means your organization would need a third-party CMMC-certified expert to review the entire system, perform cybersecurity testing and determine an objective score. That’s a twist few business professionals have considered as they prepare the necessary CMMC updates and harden their attack surface.
Phase 3
Within 12 months of Phase 2, the DoD is expected to mandate Level 2 third-party certifications. This would apply to bids as well as contracts that are already underway. The Pentagon also reportedly plans to enforce CMMC Level 3 certifications for bids and existing contracts. A select few organizations may enjoy some Level 3 wiggle room, depending on the type of CUI and FCI organizations handle.
Phase 4
One year after Phase 3 has been implemented, all CMMC 2.0 elements are expected to become fully enforceable. Failing to meet the standards relevant to your organization may result in the loss of DoD contracts and being banned from bidding on future work. Companies that do not take proactive measures to align their cybersecurity posture with CMMC 2.0 can expect to take a bottom-line and reputational hit.
Steps To Comply with CMMC Updates
Given the phased roll out of CMMC 2.0, some companies have decided to kick the can down the road rather than take proactive pre-certification measures. Delaying the process puts organizations in a position to lose profit-driving contracts and peripheral work. All told, more than 300,000 firms will require CMMC updates to prove they are in compliance or have a qualified Certified Third-Party Assessor Organization (C3PAO) test and report on their network defenses. These are recommended steps to start implementing right now.
Perform Gap Assessment
A cybersecurity gap assessment involves evaluating an operations security posture. Typically, a third-party firm takes a deep dive into methods used to transfer, store and protect sensitive and valuable digital information. A gap assessment also reviews company best practices and cybersecurity infrastructure, among other facets. In terms of CMMC 2.0 compliance, a C3PAO may be the best resource to get the job done.
Promptly Address Gap Assessment Findings
The third-party firm that conducts the gap assessment usually provides a thorough report. The findings cover network defensive strengths as well as areas that require improvement. These may vary from issues that need modest improvement to curing critical deficiencies. Gap assessment reports often include professional advice about next steps. Even if your operation does profit from DoD work, this proactive cybersecurity measure gives decision-makers a guide to harden their defenses. That, in itself, improves your network defenses and your organization’s ability to deter, detect and expel threat actors. The alternative is continuing to be low-hanging fruit for cybercriminals to pluck.
Select A Suitable C3PAO
Having a fluid working relationship with a managed IT firm that also met the stringent standards to qualify as a C3PAO is crucial. This B2B rapport calls for productive communication, transparency and cost-effective scalable opportunities. Choosing the right C3PAO for your organization can be a rewarding experience. Not only can it lead to CMMC 2.0 certification and ongoing compliance, but it can also lead to improved productivity and increased profits.
Prepare for the CMMC 2.0 Assessment
Company leaders, department heads and key stakeholders will have an opportunity to set a path forward. The emphasis will be on achieving CMMC 2.0 certification and maintaining that standard. Faltering at any juncture can result in the loss of DoD contracts. Leadership teams will also be able to see certain aspects of their digital footprint that can be made more efficient.
Removing unnecessary redundancies and outdated programs generally helps operations streamline their processes and cut costs. While getting ready for the CMMC 2.0 assessment, it may be prudent to take a holistic approach to managed IT and cybersecurity.
Undergo a CMMC 2.0 Assessment
If you opt into a business relationship with a C3PAO, you will have the opportunity to run preliminary CMMC assessments. This means you can have the third-party firm perform a non-binding test for the purposes of identifying any outlying issues. Should you pass with flying colors, scheduling a final CMMC assessment is just a phone call away.
What Companies Can Do to Get Ready
Connecting with a C3PAO is a vital step in achieving CMMC compliance and staying in the good graces of the DoD. By that same token, there’s no reason for your in-house managed IT staff or lead information person to sit on their hands. Consider using a CMMC checklist to start addressing critical issues such as the following.
- Cybersecurity Awareness Training
- Developing an Information Security Policy
- Address Physical and Environmental Security
- Implement Zero Trust Login Infrastructure
Laying the foundation for a thriving cybersecurity culture can change the game on garden variety hackers as well as advanced persistent treats. Instead of employees being the weak link, they can emerge as a front line of defense. The benefits of these and other best practices will only elevate your status when bidding on government contracts.
Red River Helps Companies Make CMMC Updates and Pass Assessments
If you know or suspect you need help achieving CMMC 2.0 compliance and maintaining critical cybersecurity measures, Red River is a qualified C3PAO. We work with companies to provide effective, scalable managed IT and cybersecurity consulting. Our experts can help you transition to an organization that possesses a formidable cybersecurity posture that deters, detects and repels even the worst hackers.
We understand that CMMC compliance can prove challenging. However, we are ready to shoulder the burden. Contact us today by calling or filling out our online form. Let’s get the process started!