Cybersecurity Maturity Model Certification (CMMC) and export compliance programs should be coordinated efforts driven by upper management to avoid export regulation violations. A Federal News Network article discussed the fact that CMMC assessments are uncovering unknown export regulation violations. The article points out the dangers of maintaining compliance programs in separate silos.
Technology Control Plan
A Technology Control Plan (TCP) describes how to protect items and information that fall under export regulations. This includes export-controlled items, technical data, and Controlled Unclassified Information (CUI) at a facility. A TCP is a key part of an International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) export compliance program. It explains basic steps to secure and manage export-controlled technology from unauthorized access by implementing physical security measures and personnel screening.
The TCP, while important, does not detail the required controls for a comprehensive information security system. For this reason the DoD has made CMMC a contractual obligation for the Defense Industrial Base.
CMMC Requirements Now in Place
CMMC establishes a tiered framework of cybersecurity standards based on NIST SP 800-171 controls. The Department of Defense (DoD) created it to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC assessments are conducted by Certified Third-Party Assessment Organization (C3PAO) based on DoD contracting requirements. These requirements for CMMC programs fall under three levels:
- Level 1: Requires an annual self-assessment and affirmation of compliance with 15 basic security requirements.
- Level 2: Involves a more comprehensive assessment every three years, focusing on 110 security requirements from NIST SP 800-171.
- Level 3: Similar to Level 2 but includes additional requirements to protect against advanced persistent threats.
Coordination of Efforts Essential
Export compliance programs determine through classification, which articles and technology are subject to export regulations. They also determine which parties are eligible to access those articles and technology through denied parties screening and licensing. These actions provide an organization’s cybersecurity team with boundaries to ensure that associated information is kept confidential, intact, and accessible to appropriate personnel.
The two teams must work in conjunction to identify risks. define ensure that mitigating efforts are adequately resourced, and monitor and evaluate actions taken. Export regulations are in a constant state of flux that alters which technical information falls under regulatory control. Additionally, threat matrixes are constantly shifting to exploit new vulnerabilities and circumvent cybersecurity protections.
The Role of Upper Management
Upper management must remain informed of both teams’ status and requirements. Policies should be created and shared to build a culture of compliance. Regular training should be given to support these efforts. Management must ensure that data is mapped in all departments to identify and protect Controlled Technical Information.
It must also ensure that cybersecurity requirements are communicated to all vendors and contractors. Ultimately, management’s greatest concern is to ensure that all parties work together to protect the organization from costly regulatory violations and cybersecurity incidents. Such incidents cannot only result in costly civil and criminal fines but can result in a loss of the organization’s reputation and revocation of export privileges.
CVG Strategy Export Compliance Management Programs
Organizations implementing and maintaining CMMC and Export Compliance programs in the United States face numerous challenges in these rapidly evolving business areas. Export Compliance Management Programs establish clearly defined policies and procedures for all departments within an organization to prevent. They also ensure that training, auditing, and record keeping are maintained according to requirements. export control violations
CVG Strategy can help you understand revisions to the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR), and help you establish a coherent and effective export compliance program. We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team. Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.
CVG Strategy CMMC Consultants
After significant delays, the DFARS Implementing CMMC requirements for DoD contractors and subcontractors is here. Many small businesses face challenges meeting CMMC requirements because of limited budgets and lack of qualified personnel. CVGS can provide guidance and help your organization understand and implement CMMC.
We are dedicated to helping small businesses navigate federal regulations and contract requirements for Quality Management, Cybersecurity, Export Compliance, and Test and Evaluation. We can help you meet your information security management system goals. CVG Strategy QMS experts can provide the training required to understand and engage in a ISMS and make it meet desired objectives.
Identify CUI Areas with CVG Strategy Signs
CVG Strategy provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where products are being produced or services are being performed that are under the control of the U.S. Department of State Directorate of Defense Trade Controls (DDTC) and are subject to the International Traffic in Arms Regulations per title 22, Code of Federal Regulations (CFR), Parts 120-130.