It’s happening: The CMMC, will replace a current system of DoD contractors by pledging their compliance to cybersecurity standards issued by the NIST
On Friday, September 18, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to government agencies to patch all Windows server operating systems by Monday, September 21 to prevent unauthenticated attackers. The CISA directive suggested that the vulnerability would give cybercriminals a way to get privileged access to domain controllers which would compromise Active Directory (AD) identity services, undermining identity and access controls. Over the course of that weekend, many government agency IT departments scrambled to comply with the mandatory and critical directive. If an unauthorized attacker gained control of the identity capabilities at one agency, CISA noted, the access could be used to compromise other federal networks.
If all private organizations working with the government, like yours, needed to comply with this directive, many would have failed. Many private companies don’t have the written processes or sufficient controls in place to meet this kind of short deadline right now. However, the looming Cybersecurity Maturity Model Certification (CMMC) standards will be changing that.
Your challenge, should you choose to keep working for the DoD, is to address CMMC compliance
The Department of Defense (DoD) released CMMC in February 2020. The DoD intends for CMMC to standardize cybersecurity implementations across the Defense Industrial Base (DIB). This new directive will enhance security procedures for controlled unclassified information (CUI) in all unclassified networks. Without a standard for protecting these networks, many DIB member companies often have fewer controls safeguarding CUI. This makes unclassified networks a path of least resistance for adversaries and places CUI at risk.
The CMMC directive will change how DIB members secure data and document their activities. CMMC creates a five-level hierarchal maturity model. Even though it’s based on NIST SP 800-171, it moves away from the basic three-level risk assessment (low, medium, high), now means that companies need to hire non-government auditors to conduct certifications across all five levels.
In other words, every private sector entity wishing to bid on DoD contracts need to meet this standard by October 1, 2025, at the latest. In fact, some contracts may need to meet compliance as early as 2021. Plus, the DoD has already mentioned that it plans to start including CMMC compliance in contract renewals.
Under CMMC, any company that needs to be compliant with Level 3 or above needs to have documented processes in place for securing CUI. This means that if your organization doesn’t have processes in place to comply with the DISA directive, you might have a lot of work to do.
But wait, CMMC compliance gets even harder.
Although it’s hard to see it, large part of CMMC includes requiring both DoD agencies and private sector entities to be compliant with the Defense Information Systems Agency’s (DISA) Security Technical Implementation Guides (STIG). The hidden “gotcha!” here is: CMMC relies on NIST 800-171 which references NIST 800-53, who both reference NIST 800-128. NIST 800-128 gives the technical controls that get you to CMMC compliance, and these controls direct you right back to STIGs. And there’s your “what?” That’s right. To meet technical CMMC compliance requirements, you’re going to need to have compliance STIG implementations.
STIG compliance can be a time-consuming process requiring extended manhours to harden servers and operating systems. Then, just when you think you’re set, DISA drops updates with new STIGs into the system. This convolutes and complicates an already convoluted and complicated system of cybersecurity rules and procedures that the private sector has to meet if they want work with the DOD.
With STIG compliance being a large part of level 3 and higher CMMC requirements, it is imperative for contractors to do this work efficiently and at minimum cost. The process of being DISA STIG compliant can be time consuming, requiring several hours of downloading, updating new configuration rules (STIGs), scanning workstations continually and tracking and logging the results. Your company has, at most, four years to hire STIG specialists, install new rules configurations, and create a historical log for your company records, audit, and certification purposes.
At least you don’t have to tackle all of this by yourself.
SteelCloud has operated in the DISA STIG compliance world since its inception. And we can give your business an advantage by increasing efficiency and decreasing your time spent in scanning and remediation. Our ConfigOS software automates the process of scanning and remediating STIG controls, giving you an advantage over businesses that still rely on manual implementation or on less proven products.
Each instance of ConfigOS can support even the largest infrastructure—scanning and remediating 5,000 to 10,000 endpoints per hour and reducing days/weeks/months of manual work to just an hour. In fact, automating STIG compliance can reduce the need for specialized IT staffing by over 90%, saving significant resources in employee salaries, time and money. It is fully customizable within the construct of DISA STIG requirements and includes automatic compliance reporting that will make audits much easier.
You have a lot to do and October 2025 is coming faster than you think.
Contractors have now been thrust into the murky world of DoD compliance at a time when the stakes couldn’t be higher. It is going to require some reengineering of the way you deal with your government contracts. But when it comes to reaching level 3 or higher CMMC requirements, ConfigOS will make your life much easier.
October 2025 sounds a long way away. But there is plenty of work to do to meet that date, especially when you consider the rate of disruption companies are facing in every aspect of their organizations. Get DISA STIG compliance off your mind. Schedule a ConfigOS demo today and stay compliant with SteelCloud.