Cybersecurity Maturity Model Certification (CMMC) | SteelCloud

Search

CMMC doesn’t have to hobble your manpower or your budgets

The focus on security compliance and protecting our government assets and critical infrastructure has never been more urgent. If you are doing business with the DoD as a contractor and you handle controlled unclassified information (CUI), you will need to comply with the same 110 NIST 800-171 security controls the DoD complies with.

Compliance is not a one-time process. Instead, it is a continuous cycle of assessing the environment, re-mediating the issues, and then reporting and filing it because this is what we do. Like CMMC and the IRS, we see more and more government mandates coming down on industry as we go forward. These regulations are required, and non-compliance will result in the loss of your contract with the government. You are not alone, and we are here to help.

The Cybersecurity Maturity Model Certification (CMMC) requirement from the U.S. Department of Defense mandates that DoD contractors obtain certification to ensure appropriate levels of cybersecurity practices are in place to meet “basic cyber hygiene,” as well as protect CUI that resides on partner systems. This is the first time the DoD will require contractors, subcontractors, and suppliers to be certified to participate in the DoD supply chain.

Make Hardening Easier

ConfigOS removes 90% of the effort.

Schedule a Demo

What is CMMC?

The CMMC (now in its second version, CMMC 2.0) is built upon established National Institute of Standards and Technology (NIST) 800 – 171, special publications, and DFAR regulations, which until now specified the cybersecurity standards that all Defense Industrial Base (DIB) companies had to adhere. Specifically, DFARS clause 252.204-7012 stipulates that any company that accesses or stores CUI must assess its cybersecurity capabilities and attest that it meets all 110 security controls of NIST SP 800-171 or have in place a Plan of Actions and Milestones (POAM). CMMC certification will require companies to demonstrate effective cybersecurity practices and procedures sufficient to satisfy an annual audit.

Whom does this affect?

The DoD recognizes that their contracts have different risk profiles, so that each RFP will list a CMMC level requirement from 1-3.

Level 1 applies to DoD contractors who don’t deal with (CUI), only Federal Contract Information (FCI). These contractors don’t hold government information on their corporate networks, so this level’s security requirements are much less stringent. Most contractors that provide basic supplies and commodities to the government typically fall under Level 1. At Level 1, DoD contractors are able to self-asses that they have met the 17 criteria needed for certification.

For Levels 2 and 3, the DoD contractors handle CUI. Representative CUI can be information like schematics for DoD equipment that permits adversaries to reverse-engineer or learn about military capabilities. Another example is maintenance plans for aircraft equipment on a CUI network. This requires a level of protection very similar to the current NIST SP 800-171 recommendations used within the DoD already. Depending on the nature of the data you handle, some contractors will be able to self-assess, but many will need to secure approved third-party assessment to get and maintain their certification.

At Level 3, the CUI being protected is at a high level of sensitivity. These networks may be primary targets of cyber adversaries. Examples of this information are weapon test results or detailed manufacturing schematics. Not surprisingly, securing your network up to Level 3 applies to a smaller, select subset of the DIB and can be very expensive without a plan and effective tools. While all details of CMMC 2.0 are still being ironed out, it seems companies at this level will need to conform to NIST SP 800-72 standards and be government assessed for certification every three years.

If the DoD represents a current or future part of your revenue streams, serious attention and preparation for CMMC are an absolute must.

See how quickly ConfigOS brings YOU into compliance!

Witness the amazing capabilities for yourself. Schedule a demo today.

Schedule a Demo

How will CMMC work?

When third-party assessments of cybersecurity compliance are needed, they will be conducted by Third-Party Assessment Organization/s (C3PAOs) approved by the CMMC Accreditation Body (CMMC-AB). This will apply to most DIB companies handling CUI. The following information categories correspond to differing levels of CMMC and are more fully defined here.

COTS (Commercial Off-The-Shelf) Information
Typical products or services that are sold in substantial quantities in the commercial marketplace
FCI (Federal Contract Information) Information

Non-public information provided by/for the government under a contract
CUI (Controlled Unclassified Information)

Information requiring special labeling and safeguards
CTI (Controlled Technical Information)

Technical information with military or space application subject to special controls – subset of CUI
Classified Information

Classified information is outside the scope of CMMC

CMMC Impact on the DIB beyond Prime Contractors

CMMC mandates don’t merely apply to prime contractors; they impact subcontractors as well. Primes are required to maintain CMMC information requirements across their supply chain where there is a continuity of information to the lowest level. As such, the largest primes are already beginning to encourage if not force their suppliers to obtain CMMC, ranging from positive actions like providing consulting resources and tools to a more restrictive approach of not including non-compliant CMMC subcontractors on their bid and execution teams. For many small businesses (SMBs), subcontracting is the primary if not only source of company Federal revenue.

What role do STIGS play?

Throughout the DoD, the DISA Security Technical Implementation Guides (STIGs) are a fundamental component of hardening systems per the Risk Management Framework (RMF), a Federal, whole of government requirement for government systems. NIST 800-171 specifies that any federal contractor that works with Controlled Unclassified Information (CUI) must follow this policy framework. Notable attention has been given recently to STIGs as they relate to the DIB. NIST requirements for government stipulate that Federal environments be hardened to either STIG/CIS standards, and the DoD has settled on STIGs as the baseline of choice. CMMC reinforces this internal government requirement to the DIB, with Levels 2 and 3 stipulating an infrastructure hardening mandate akin to RMF or FedRAMP High.

STIGs are an operationally implementable sourcebook of DOD Information Assurance (IA) controls, security regulations, and best practices for securing operating systems, networks, and applications. More importantly, STIGs provide security guidance for actions like mitigating insider threats, containing applications, and security information system credentials and assets.

The CMMC problem faced by SMBs

We know the application of STIGs meets the mandates of CMMC for Federal contractors in the DIB. The challenge is the amount of labor and cost required to implement STIGs in any environment. Cybersecurity consultants and systems integrators alike are aware that these information assurance practices often take months to implement even the smallest number of endpoints in a Federal environment.

This makes CMMC certification using traditional means of implementing security controls prohibitively costly for SMBs in the DIB. Short of an affordable means for SMBs to achieve certification will reduce the Federal supplier pool as the cost of compliance drives companies out. This dynamic is contrary to stated Federal government goals on supply chain diversity, damages SMBs, and weakens the strength and resiliency of the DoD

Is there a solution?

Automate the Technical Requirements of CMMC

SteelCloud has been automating STIG and CIS compliance for Federal government customers for years using a patented, automated scan and remediate solution called ConfigOS. Federal agencies use our ConfigOS automated compliance software to affordably maintain a robust cyber infrastructure to become and stay compliant. Larger integrators have deployed this software in support of their Federal programs or for their internal CMMC requirements.

The ConfigOS solution hardens infrastructures around the given application stacks used on them, and this differs by environment depending upon program mission, tools of preference, and operating system. ConfigOS is used to build custom signatures to support these environments to apply STIG automation and provide reporting artifacts for RMF accreditation requirements, typically reducing system hardening efforts by 70-90%. Similar results can be expected for the technical requirements of CMMC, making the unaffordable mandate much more palatable for SMBs trying to get or keep their place at the Federal contracting table.

How to get compliant and stay compliant with ConfigOS

Our ConfigOS software automatically scans and remediates the onerous controls requirements imposed by CMMC on the DIB, reducing hundreds of hours of work to 60 minutes or less. Because these controls frequently change (DISA updates STIGs quarterly at a minimum), the ConfigOS software not only gets companies into initial CMMC compliance but keeps them in compliance year over year. SteelCloud’s ConfigOS software hunts down hidden non-compliances across the network and automatically remediates them in minutes. It serves as a documentable basis for accepted CMMC controls process that paves the way to successful audits time and again.

Contact us today to learn more about how SteelCloud can help with CMMC certification.

Additional Resources:

Relevant Sites

Relevant Documents

ConfigOS pays for itself from its first use.
It’s a no-brainer!

Now all that’s left is to experience it for yourself.

Demo Buy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Others