A CMMC 2.0 Assessment Guide for Proactive Mandate Preparation
With the rulemaking process scheduled to end in November 2023, organizations in the military industrial base are facing a fast-approaching deadline to comply with the Cybersecurity Maturity Model Certification (CMMC 2.0).
The U.S. Department of Defense (DoD) submitted the newly minted CMMC 2.0 requirements to the Office of Information and Regulatory Affairs (OIRA) in July 2023. That puts the rule on track for publication in late October. Direct contractors, as well as organizations in the military supply chain, are now tasked with determining how to achieve CMMC 2.0 compliance before it shows up in contracts. At Red River, we work diligently with businesses to help them exceed government mandates. The information in this CMMC 2.0 assessment guide could prove valuable in preparing for the stringent security measures.
What Organizations Need to Know About the CMMC 2.0 Timeline
Like any federal rule, there will be a 60-day grace period in which the government fields public comment. Given the mandate is on track for a late-October to early November publishing date, that places the end of public input at year’s end. As military contractors and subcontractors transition into 2024, the OIRA will render a decision on whether to send the draft back for revisions within 90 days.
While the slow-moving bureaucracy has the potential to seemingly kick the proverbial can down the road, there is an important caveat to keep in mind. The federal government is likely to publish what it calls an “interim final rule,” basically putting CMMC 2.0 requirements in place.
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy, is reported to have said. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
The OIRA decides on whether to craft an interim final rule and has a history of following that procedure. In 2016 and 2020, the agency pushed DFARS cybersecurity rules by publishing an interim final rule. With the U.S. now embroiled in the Ukraine-Russia conflict and rogue nations such as North Korea and Iran funding advanced persistent threats, our national security is at risk. The pressing need to harden our national security could fast-track CMMC 2.0 compliance mandates into DoD documents and contracts during the first or second quarter of 2024.
Why Contractors are Already Behind the CMMC 2.0 Curve
It may seem logical for decision-makers to wait until the final rule – or at least the interim rule – has been published to begin the assessment and CMMC 2.0 compliance process. The notion the federal government would issue a mandate and call for a quick turnaround seems counterintuitive. That holds particularly true given the rulemaking process began during the previous administration.
Call it unreasonable, but even businesses with 100 or fewer employees may need a year to become fully compliant. Large corporations might need a full-court press or risk losing lucrative government contracts. The essential point is that if your organization has not undergone a risk assessment and identified which of the CMMC 2.0 levels is applicable, time is running out.
What are the CMMC 2.0 Levels?
Initially, CMMC was crafted with five distinct compliance levels. But a change at the White House and Pentagon prompted a review of the cybersecurity policy. The CMMC 2.0 levels have been placed in three categories, with differing compliance commitments. These are the three CMMC 2.0 levels and what industry leaders need to know about meeting the standards.
Level 1 (Foundational Cyber Hygiene)
Organizations that primarily handle federal contract information (FCI) can anticipate falling under Level 1 protocols. Its procedures and best practices follow 17 controls from the revised National Institute of Standards and Technology (NIST 800-171). The goal is to safeguard basic contract data that could be used by foreign entities to piece together elements of America’s military supply chain, expenditures and national security players.
Enterprises that fall into the Level 1 category may be eligible to conduct what the DoD is calling “self-assessments.” This term can lead to subcontractors not acting with the sense of urgency necessary to prepare in time. Business professionals will need to follow the rigorous CMMC 2.0 guidelines and pass a stringent self-assessment test. C-Suite executives may need to attest to the score and file a report with the federal government.
Level 2 (Advanced Cyber Hygiene)
Organizations that store or transmit Controlled Unclassified Information (CUI) may find Level 2 requirements convoluted. Some operations are required to have a third-party audit. Others can follow the self-assessment pathway available to companies that fall under the Level 1 umbrella. Largely based on the NIST SP 800-171, companies can anticipate meeting upwards of 110 best practices.
Outfits that are approved for self-assessments will also need to file the appropriate score and documentation with the federal government on an annual basis. Those who opt for, or are required to have a third-party audit conducted, are expected to redo the process every three years. However, each operation within the military supply chain is expected to always maintain its cyber defenses.
Level 3 (Expert Cyber Hygiene)
As you might expect, the CMMC 2.0 compliance standards for this level are quite strenuous. Corporations that handle CUI, as well as secret information, must harden their defenses to detect and repel Advanced Persistent Threats. This class of hackers possesses the sophisticated skills to breach even the most well-protected network.
They are typically funded by our country’s adversaries, giving them the time and resources to relentlessly peruse national security plans and secrets. That’s why Level 3 cyber hygiene calls for more than 110 NIST SP 800-171 practices that include proactive cybersecurity measures. In terms of compliance, only accredited third-party CMMC auditors can perform a certified assessment and report the findings to the federal government.
Failing a CMMC 2.0 compliance audit can result in the revocation of government contracts and prevent businesses from bidding on the next wave of federal spending. We’re all well aware that working for the DoD or contributing to the military defense supply line can help drive profitability. That’s why it’s mission-critical to promptly schedule a CMMC 2.0 assessment.
How to Prepare for a CMMC 2.0 Assessment
Although the upcoming CMMC mandate reduces the number of cyber hygiene levels from five to three, it may actually be more complex than the initial model. It’s generally in every business leader’s best interest to onboard a certified CMMC Third Party Assessor Organization, also called a C3PAO, to help shepherd supply chain operations and direct military contractors through the following assessment preparation process.
Identify Your CMMC 2.0 Compliance Level
The majority of the 300,000 businesses in the military industrial base are expected to fall into the Level 1 or 2 categories. That determination will largely be based on whether the outfit handles FCI or CUI. The degree to which the data is stored and transited may also play a role in determining whether you need Level 1 or 2 cyber hygiene. One of the nuances for Level 2 operations involves whether you can self-assess or need a C3PAO audit. Security media outlets such as National Defense Magazine have been highly critical of self-assessment ambiguities.
“The most glaring issue with the self-assessment model is the potential for inconsistency and lack of objectivity. The rigor of the assessments could significantly vary depending on a contractor’s understanding of the standards, their willingness to self-correct and their perception of the stringency of the evaluation process. The capacity for each contractor to self-assess objectively is a dicey proposition, with the risk of overestimation or underreporting of their cybersecurity maturity being a significant concern,” National Defense states.
By working with a C3PAO to help determine your cyber hygiene level from the start, confusion and the risk of non-compliance can be avoided.
Have a Risk Assessment Performed
A risk assessment, or gap assessment as some industry professionals call it, is a major first step in turning weaknesses into strengths. The process involves having cybersecurity professionals test your network for vulnerabilities. The security gaps and best practice shortcomings are uncovered as hacking techniques are simulated. These may include searching for unpatched software, weak password usage, outdated firewalls and anti-virus software, endpoint protection gaps and employees not understanding basic cybersecurity awareness.
After a risk assessment has been performed, a third-party managed IT and cybersecurity expert provides a detailed report. This document highlights areas that need to be secured and serves as a blueprint to harden your defenses.
Craft and Implement a System Security Plan
A thoughtful System Security Plan accounts for the current weaknesses and serves as a baseline for future cybersecurity policies and best practices. Aligning your defenses to comply with the expected CMMC 2.0 interim final rule positions your organization to maintain government contracts, bid on work for the next fiscal year and appropriately protect your digital assets. These are the three pillars of a forward-facing system security plan.
- Availability: Authorized network users typically require free and unfettered access to digital assets and programs to complete projects on time and on budget. It’s not uncommon for business professionals outside the information technology trades to overcompensate and clamp down on access. This holds especially true of Level 1 and 2 outfits that try to self-assess without the guidance of a C3PAO. By working with a third-party cybersecurity expert, your system security plan does not have to become a drag on productivity.
- Confidentiality: This speaks to the ability of your operation to securely store and transmit FCI, CUI and sensitive digital assets. In this regard, the CMMC 2.0 policy raises the privacy bar on DoD information much like HIPAA guidelines protect personal healthcare records.
- Integrity: A network must possess adequate defenses to deter and repel threats. Although garden variety hackers may pursue Level 1 data, advanced persistent threats level cunning cybersecurity attacks on Level 2 and 3 organizations. The question is whether your cybersecurity measures can detect, respond to and expel nation-state threats. On the other side of the coin, can you rely on people in your organization to follow company policy and keep DoD intelligence safe?
Although the DoD appears to have developed a comprehensive plan to protect national security throughout the military supply chain, the launch of any new initiative can be fraught with errors, miscommunications and costly setbacks. Along with bringing in a C3PAO to serve as your CMMC 2.0 assessment guide, there are pragmatic cybersecurity defenses that can be integrated before audits take place.
Harden Your Cybersecurity Before CMMC 2.0 Shows Up in Contracts
It’s essential to possess determined cybersecurity that deters hackers and protects your digital assets, come what may. Cybercriminals not only target national security information, but they also seek to harvest sensitive and valuable digital assets from everyday businesses. Your operation could just as easily be the target of a for-profit ransomware attack as an advanced persistent threat working for China, Iran or North Korea. As a leader in cybersecurity, Red River can implement pre-assessment defenses consistent with CMMC 2.0. These include the following.
- Awareness Training: More than 80 percent of data breaches are the result of human error. By establishing a cybersecurity awareness training program, human vulnerabilities can be turned into robust defenses.
- Security Operations Center (SOC): The cost of building an in-house security operations center is prohibitive. That’s why we provide SOC as a service to our valued business partners. Leveraging SOC capabilities provides 24-7 threat detection, real-time threat response and the ability to repel advanced persistent threats.
- Zero-Trust Protocols: Implementing zero-trust login credentials limits network users to the digital files, programs and assets they need to complete routine tasks. The policy restricts a user from reaching sensitive FCI or CUI. Should a hacker breach your system using an employee’s credentials, the criminal’s access is also restricted.
CONTACT RED RIVER TO GET THE CMMC 2.0 PROCESS STARTED
The cybersecurity experts at Red River help businesses in the military industrial base meet the CMMC 2.0 requirements. If you are concerned about CMMC deadlines or need clarification on your current cybersecurity defenses, call us today or fill out our online contact form. Let’s get the process started!