Security requirements such as NIST 800-171 and CMMC and what federal IT pros need to know about how they impact cybersecurity and how to comply.
GovCon CyberSecurity Compliance
As a federal contractor you're entrusted with federal contract information (FCI) & controlled unclassified information (CUI) that must be handled securely.
The US government is one of the largest buyers in the world and relies heavily on its industry supply chain of contractors to provide supplies, services, and innovative technology to improve our way of life. The ecosystem and supply chain runs deep and not only includes government agencies and large enterprises, but also small, specialized businesses that have unique skills or products. Over the last decade, we have seen an increased number of security breaches at all levels of this ecosystem, exposing years of development and innovative technology and putting it into the hands of our adversaries and those who seek to use it to their benefit.
To help mitigate the risk and ensure organizations at all levels are using best security practices within their organization, good security is essential. In this resource page, we explore one of the measures being implemented by the Department of Defense to address cybersecurity. We also discuss an emerging approach to cybersecurity called, Zero Trust, that has the potential to significantly improve security. Finally, we discuss how integrated governance, risk and compliance tools focused on continuous assessment and monitoring can be used to implement a comprehensive solution.
Why Do You Need A Cybersecurity Program?
As a federal contractor you are entrusted with federal contract information (FCI) and controlled unclassified information (CUI) that must be handled securely. This can be a challenge to get right. All businesses are faced with security challenges because of hackers seeking to gain access to user data, personal data, health records, intellectual property, FCI, CUI, and credit card data. The list of data types goes on and on. Every business is vulnerable and must proactively implement security programs to prevent the theft of sensitive data.
The DoD has developed standards like CMMC that must be followed to help ensure better security posture, but that alone turns into a check-box exercise with no real strategy. Taking a checklist approach to implementing CMMC is not a long-term strategy and is not going to mitigate the amount of data breaches that occur annually. Ultimately if organizations don't adopt better security controls and practices nothing will change. This can only be solved by implementing a programmatic approach to your cybersecurity practices and procedures. Take a look at our guide for establishing a security program based on CMMC.
What Is Controlled Unclassified Information (CUI)?
CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government wide policies. CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract.
To learn more about CUI and how to identify it, see the National Archives page About Controlled Unclassified Information (CUI)
Why Is CUI Important?
Because there are fewer controls over CUI as compared to classified information, CUI is the path of least resistance for adversaries. Loss of aggregated CUI is the one of the most significant risks to national security, directly affecting lethality of our warfighters. Visit the Defense Counterintelligence and Security Agency website to learn more.
What Is CMMC Certification?
Since 2018, the Department of Defense (DoD) has been working to set up a process to ensure that all defense contractors meet cybersecurity requirements for handling controlled unclassified information (CUI). In this blog, we discuss emerging security requirements such as NIST 800-171 and the Cybersecurity Maturity Model Certification (CMMC). We cover what you need to know regarding how these standards will impact your approach to cybersecurity as well as what you need to do to comply.
Fundamentally, NIST 800-171 and CMMC were designed to ensure that defense contractors are meeting at least a basic level of cybersecurity hygiene for protecting sensitive defense information (CUI). Existing federal contractors who provide IT services will already be familiar with the Capability Maturity Model Integration (CMMI) certification process. CMMI is a process used to determine the level of software development maturity. CMMI certification has become a common requirement for contractors bidding on IT related government contracts. CMMC is an attempt to put in place a similar process for cybersecurity. The CMMC process and rollout have undergone many updates since it was formally introduced in early 2020 and is currently being revised.
What Are The Seven Tasks To Do Now To Prepare For CMMC Certification?
If you are a DoD contractor, now is the time to take action to improve your organization’s cybersecurity. With the release of CMMC 2.0, DoD has delivered a clear message that it’s getting serious about cybersecurity. No organization should wait until the new framework is a mandatory requirement. What can you do now to ensure you can comply.
Understand, that audits will continue while the rulemaking process for CMMC 2.0 runs its course. The Rulemaking organization (DIBCAC) has announced plans to increase the size of its audit staff in response to the pressing need to improve security across the supplier community. The lowest-hanging fruit for DIBCAC is to simply check whether organizations has submitted its NIST SP 800-171 self-assessment score (SPRS score) as required: reports are that DIBCAC is steadily increasing such spot checks. Any organization that doesn’t have an SPRS score on file is sending a clear and problematic message about its cybersecurity capabilities to both DoD and prime contractors assessing potential subcontractors for teaming relationships.
Why Is CMMC Certification Important To Government Contractors?
Achieving a Cybersecurity Maturity Model Certification , or CMMC gives the Department of Defense as well as other state and federal agencies, reassurance about a contractor's security practices and controls for securing data. Contractors who are competing for prime contracts or working as a subcontractor will have a distinct advantage based on having a CMMC certification. Eventually, every state and federal agency will require all contractors to be CMMC certified when dealing with controlled unclassified information (CUI). When this occurs, all major prime contractors throughout the supply chain will comply and flow down those requirements to their network of subcontractors. If you'd like to stay in the game and potentially gain footing with the primes or government agencies you are currently doing business with, it's highly recommended that you start now. Obtaining a CMMC certification is a strong indicator to potential customers that you have in place the internal controls to manage performance risks.
What Is Required To Get CMMC Pre-Certified?
The need to comply with Cybersecurity Maturity Model Certification (CMMC) guidelines to win government contracts has almost become official. To prepare your company to meet the necessary requirements that this certification requires, now is the time to build up your cybersecurity infrastructure. Beyond the business advantage that meeting CMMC requirements provides, protecting data is an imperative that's never been more pressing.
The primary purpose of the CMMC program is to enhance the protection of controlled unclassified information (CUI) and federal contract information (FCI) shared within the Defense Industrial Base (DIB). CMMC is designed to assure the Department of Defense (DoD) that a DIB company can secure sensitive CUI and FCI , accounting for data flow down to the subcontractor level in a multi-tier supply chain.
However, even if your company doesn't fall within the DIB, the need to develop and maintain a strong line of defense against cybersecurity threats grows greater by the moment. Learn how your organization can get ready for its CMMC certification process.
What Is Zero Trust? What Do I Need To Know As A Government Contractor?
In recent years, cybersecurity research at leading universities has led to critical innovations in applied cryptography. These new technologies are based on best practices advanced by the National Security Agency (NSA) - the federal agency responsible for the nation's cybersecurity. The new technologies will enable organizations to enhance their cybersecurity and help them achieve CMMC levels necessary to do work for the DoD.
The NSA's February 2021 memorandum, Embracing a Zero Trust Security Model, describes a Zero Trust model as one that "eliminates trust in any one element, node, service and assumes that a breach is inevitable or likely has occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity." The NSA explains that Zero Trust approach contrasts with "traditional perimeter-based network defenses with multiple layers of disjointed security technologies [which] have proven themselves to be unable to meet the cybersecurity needed due to the current threat environment." The NSA memorandum urges the entirety of DoD and the DIB to adopt the Zero Trust security model.
President Biden amplified the NSA's call for a Zero Trust approach in his May 2021 Executive Order on Improving the Nation's Cybersecurity. The order mandated rapid development of plans by every federal agency for modernizing their approach to cybersecurity by, among other actions, implementing Zero Trust Architecture.
The Zero Trust security model, according to the NSA, is designed to secure the entire breadth of an organization's computing services, data resources, and network locations. It's a mindset that spans every CMMC 2.0/NIST SP 800-171 control family.
Note that while at this point it is still possible to comply with CMMC 2.0 and NIST SP 800-171 using legacy security systems, a better path to compliance is achievable through modern Zero Trust systems.
Why Is A Vulnerability Management Program Critical?
A vulnerability management program systematically identifies, evaluates, prioritizes, and mitigates vulnerabilities that can pose a risk to an enterprise's infrastructure and applications. A modern vulnerability management program combines automation, threat intelligence, and data science to predict which vulnerabilities represent the greatest risk to a specific environment. It leverages full visibility into a technology stack to target the riskiest vulnerabilities, enabling companies to adhere to designated SLA's, respond to threats rapidly, and have meaningful discussions about organizational risk tolerance.
What Are the Advantages of Integrated GRC and PM Software?
Cloud-based technology has allowed organizations to operate more efficiently. It has also opened the door to new security concerns that must be addressed. Data leakages, IP theft, system outages, data privacy, denial of service, financial theft, and ransoms are just a few of the current threats facing all organizations. As organizations continue to combat these threats, they will be required to implement security controls and establish a surveillance program focused on ensuring compliance. A key outcome of good surveillance is ensuring compliance with established controls, and when needed, implementing new security policies and practices and remediation actions to reduce risk. A comprehensive ongoing vulnerability management and surveillance program is required. To be cost-effective, the program must be supported by tools that reduce manual processes while enabling continuous assessment and monitoring. Governance, Risk, and Compliance (GRC) tools are needed to track compliance. Program Management tools are needed to track and manage security tasks needed to mitigate vulnerabilities and implement remediation actions. There are significant benefits that can be achieved when these tools are integrated. Explore CentrumCyber Systems GRC tool, Centrum Cyber, which provides an integrated suite of tools for managing the entire security lifecycle.
What's Required To Establish A Continuous Security Assessment And Monitoring Program?
Cost-effective governance establishes systematic security programs that assess, remediate, and continuously monitor security posture. As security threats continue to evolve, organizations need to implement continuous assessment and monitoring tools to avoid spending a large portion of their operating budget on governance and compliance.