How ready is your organization for the new NIST 800-171 CMMC requirement?
The DoD continually works to improve cybersecurity policies to protect our nation’s sensitive intellectual property. While NIST 800–171 compliance is mandatory; building and maintaining compliant security policies can be overwhelming. Many suppliers lack the time and or resources needed to create and maintain the NIST security policies mandated by the Department of Defense.
NIST 800-171 specifies that any federal contractor that works with Controlled Unclassified Information (CUI) must follow the policy framework. NIST requires that the environment be hardened to either STIG/CIS standards, and the CMMC further reinforces that by requiring the contractor to now be certified to one of the five levels. The official Cybersecurity Maturity Model Certification (CMMC) for levels 3 through 5 stipulate STIG/CIS compliance.
Further, the government has announced that CMMC certification will be a requirement to bid on many contracts starting in 2020. Every contractor needs to plan on a simple automated method for complying with STIGs. Information about what is defined as CUI can be found in Executive Order 13556 “Controlled Unclassified Information.”
How to Implement a Simple Automated Method to Achieve CMMC Certification
DoD contractors will now need to become CMMC Certified by passing an independent third-party audit to verify they have met the appropriate level of cybersecurity controls. These new levels of cybersecurity controls and processes will ensure an audit has been conducted and whether the contractor is awarded certification or not. SteelCloud’s patented ConfigOS automated STIG/CIS compliance software reduces the time, effort, and complexity of addressing your CMMC mandate. ConfigOS scans and remediates with compliance reporting to fix the non-compliances and hardens STIG/CIS controls around an application baseline in 60 minutes.
Uncertain about what is required and how to assess and document in preparation for CMMC? Check out these STIG & CMMC Control Matrix documents for Windows 2016 and Red Hat 7. These documents show the crosswalk between the 800-53 controls fulfilled by the STIGs and how they map to CMMC levels: