The Cybersecurity Maturity Model Certification (CMMC) framework is quickly coming into reality, yet it may be causing some confusion in the marketplace.
The ultimate goal of CMMC is to tighten cyber security across the supply chain of the Defense Industrial Base (DIB). Companies wishing to work with government agencies must achieve certain cyber security standards.
That said, there are significant benefits for federal contractors that meet these certification requirements, including:
- Competitive advantage. Implementing CMMC requirements demonstrates to the rest of a customer base the strength of an organization's cyber security capabilities. The Department of Defense (DoD) is now making cyber security certification equal in consideration for cost, schedule and performance, thus many primary contractors are racing to achieve the highest level of certification.
- Increased security. Considering remote work will likely continue for segments of the workforce, security has taken on greater importance. The CMMC standards help secure contractor networks and increase internal and external confidence in performing remote work for the government. It’s a win-win for all organizations’ cyber security posture.
- Improved risk management. The CMMC approach helps federal agencies and contractors better evaluate how their supply chain is understanding and handling risk. In turn, the right governance, controls and procedures can be implemented and validated to prevent and lessen the impact of breaches and incidents.
By taking the right steps to achieve certifications, contractors put themselves at greater advantage of achieving all these benefits.
Organizations may be concerned that implementing CMMC will be complex and expensive. Although the process of assessments and certifications is multi-layered, many contractors may be surprised to find they already meet certain requirements. For example, Level 1 contractors must demonstrate the same basic cyber hygiene practices that every U.S. federal government contractor is required to have already adopted under the Federal Acquisition Regulations Act—such as the use of antivirus software and basic firewalls. Hopefully, most organizations are at this level.
Meanwhile, larger DoD contractors may be at the higher levels of the CMMC framework. For example, Level 4 organizations have implemented intelligence-led, threat-based practices to detect and respond to advanced persistent threats.
There is much to navigate in the CMMC model, including multiple processes and capability domains that have been put into practice and matured to meet third-party certification. That’s why it’s critical to lean on the right partners.
A Journey Best Suited for Partnership
The multiple layers in CMMC can be problematic for organizations striking out on their own to achieve the necessary certifications. For example, the DoD recently issued an interim rule that requires defense contractors to report assessments of their implementation of the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) controls.
This interim rule, which went into effect on Dec. 1, 2020, applies to new and renewing contracts. Read more details in this blog post, but it’s clear: The complexity arises in the assessments, which require existing familiarity and existing documentation of compliance with NIST 800-171 requirements. For example, many contractors are finding their original, self-certified plan to be outdated now that they are submitting it for additional scrutiny. Given that the DoD has recently published the Controlled Unclassified Information (CUI) portal, some are also surprised to learn documents labeled “For Official Use Only” or “Sensitive But Unclassified” must be included in their CUI program.
That’s why it’s important to have expert partners. FireEye and Ardalyst have teamed up to support CMMC initiatives. Working together, we provide a one-stop-shop for federal agencies including the DoD, as well as the DIB, to not only quickly become compliant with their underlying governing policies, but also mature their capabilities to be hardened and defended against all levels of threats. Our expertise, knowledge of CMMC rules, and robust cyber security solutions combine to meet compliance requirements and put organizations on sure footing against the most advanced cyber threats.
Ardalyst has 90+ combined years of cyber-operational experience. We have found that internal initiatives for NIST SP 800-171 compliance typically take 12 to 18 months. We’re confident that we can help facilitate business to be compliant within as little as six months with our tailor-made managed cyber security maturity program and curated compliant capabilities.
We are helping contractors fast track to NIST SP 800-171 compliance and eventual CMMC certification with a comprehensive set of solutions. It enables organizations to cost-effectively and easily mature as compliance requirements evolve. We invite government contractors to get more information and sign up for a free planning session.
FireEye works in conjunction with Ardalyst to ensure organizations are well prepared for CMMC. Our solutions have baked-in security expertise. For example, FireEye Cloudvisory can assess configurations against best practices and compliance standards such as NIST 800-171—all from a single console. It continuously monitors environments and reports on actions that are out of compliance. Cloudvisory also provides visibility into which user activities and compliance issues may increase risks. Automated compliance reporting helps keep security staff focused on advanced tasks such as threat hunting instead of audit preparation.
In addition, contractors stand to benefit from Mandiant Security Validation. It includes a cyber security management platform that enables organizations to continuously validate the effectiveness of their security posture with threat intelligence. It provides evidence of configuration issues and gaps across people, processes and technologies. By identifying gaps and redundancies, organizations can optimize both security posture and spending to better understand their threat susceptibility and reduce their attack surface.
Combined, Ardalyst services and FireEye solutions have the deep expertise necessary to guide every contractor doing business with the DoD on their CMMC journeys and beyond.
To get started, reach out to your FireEye Account Manager to learn how we help organizations develop and mature the strongest front lines against cyber threats.
Josh O’Sullivan currently serves as the Chief Technology Officer at Ardalyst.