Key Article Takeaways
- Cybersecurity compliance is vital to successfully bidding on DoD contracts in 2020.
- CMMC level compliance must be achieved in order to successfully bid on contracts in 2020.
- Analyzing key cybersecurity metrics can help DoD contractors successfully identify areas of weaknesses and vulnerabilities.
- Working with a team of cybersecurity experts can reduce the risk of attacks, protect against a disruption of services, prevent the unauthorized use of CUI data, and achieve business continuity in the face of an active cyber threat.
The Department of Defense (DoD) recently announced that both prime and subcontractors will need to comply with the new Cybersecurity Maturity Model Certification (CMMC) beginning in 2020. This announcement has left many contractors scrambling to shore their defenses as they seek to bid on new work throughout the year. CMMC will be critical to winning contracts; however, compliance isn’t the only way that contractors can boost their cybersecurity.
#1. Analyze The Three Key Categories Of Cybersecurity
There are three key components of cybersecurity: implementation, effectiveness and efficiency, and impact. If contractors want to successfully bid on a DoD Request For Proposal (RFP) in 2020, then they need the right team of cybersecurity compliance experts at their side. These experts will respond to the organizations specific needs by effectively analyzing the aforementioned categories.
- Cybersecurity Implementation. — Implementation measurements must be established to clearly identify any areas of possible weakness. These measurements should be taken for both the prime and subcontractor. Protecting against current and future vulnerabilities is the first step in developing a dynamic approach to cybersecurity that meets the new DoD regulations.
- Cybersecurity Effectiveness and Efficiency. — Protecting against vulnerabilities might be the first step in advanced cybersecurity defenses, but the equally important second step is monitoring how well a contractor can prevent and respond to cybersecurity attacks. In short, defense contractors are constantly bombarded with attempted attacks; how they respond to these attacks will create the foundation needed to effectively defend their vital Controlled Unclassified Information (CUI).
- Cybersecurity Impact. — Just as DoD contractors highlight their disaster recovery plan as part of their Request For Information (RFI) and RFP responses, so too must they take the time to measure the impact of a successfully implemented cybersecurity attack. By measuring this impact, the organization can successfully determine a) how they will respond, b) how they will learn from the event, and c) how they will maintain business continuity in the aftermath.
#2. Adjust Security To Meet CMMC Certification Levels and Controls Requirements
The biggest change for DoD contractors in 2020 will bee CMMC certification levels and controls requirements. In layman’s terms, CMMC uses a risk-based framework that is based around the amount and type of CUI that is being stored, processed, and handled. These new requirements combine security controls from NIST SP 800-171A and SP 800-181B. It is anticipated that NIST SP 800-53 and ISO 27001 could also be used as part of the requirements.
If DoD contractors want to successfully win bids in 2020, then they need to carefully select the appropriate CMMC level. Additionally, they must effectively achieve at least the Level 1 certification.
- Level 1. — Basic cyber hygiene that is comprised of 17 security controls from NIST SP 800-171 rev 1.
- Level 2. — Intermediate cyber hygiene that is comprised of 46 controls from NIST SP 800-171 rev 1.
- Level 3. — Good cyber hygiene that is comprised of 47 controls from NIST SP 800-171 rev 1.
It is important to note that together, the first three CMMC levels, will include all of the 110 security controls from NIST SP 800-171 rev 1. Additionally, if a DoD contractors fails to meet any single item for the level certification, then they will be certified at the preceding level. Finally, a failure to at least qualify for Level 1, will result in unsuccessful bids in 2020 and going forward. As the year progresses, the DoD will begin to release RFI and RFP requests with specific CMMC level requirements. These requirements will be noted in sections L and M.
#3. Complete A Third Party Audit
Completing a third party audit is the third way that DoD contractors can improve their cybersecurity and compliance. Prior to the new CMMC regulations, DoD contractors had an opportunity to self-certify. In 2020, DoD contractors will now have to complete a third party audit. Additionally, there will no longer be a Plans of Actions and Milestones (POA&M) contingency. Instead, contractors will have to immediately address their areas of weakness if they want to successfully achieve compliance and certification. These third party assessments will begin in mid-2020.
The Bottom Line: Cyber-as-a-Service (CAAS) Can Improve Defense Contractor Security
Cyber-as-a-Service is a proven solution that will provide DoD contractors with a heightened approach to cybersecurity management. The SecureStrux team of experts are ready to complete the following time-consuming tasks to help your organization improve cybersecurity and achieve the desired level of CMMC compliance:
- Authority to Operate (ATO) Certification.
- Command Cyber Readiness Inspection (CCRI).
- Controlled Unclassified Information (CUI).
- Cybersecurity Maturity Model Certification (CMMC).
- NIST Standards.
With our help, a solid Cyber-as-a-Service plan will leverage over 250 years of combined cybersecurity and engineering experience to effectively help your organization achieve vital security and compliance initiatives. Our client base includes the Army, Air Force, Navy, Defense Information Systems Agency (DISA), Joint Service Provider (JSP) Pentagon, as well as 100+ Industrial Based Contractors. Together, SecureStrux can help to improve the security of your entire network as you achieve compliance for each CMMC level. To discover the benefits of working with a seasoned and mature cybersecurity firm, contact a member of the SecureStrux team today.