CMMC Certification – We Can Help!

As a Cybersecurity and NIST Consultant, we are prepared to help Department of Defense (DoD) companies and contractors with CMMC Certification.

When the CMMC (Cybersecurity Maturity Model Certification) Accreditation Body approves the registration bodies, there will be a set of Third Party Assessment Organizations (C3PAOs) approved.  These Third party organizations are accredited by the official CMMC Accreditation Body and will then be authorized to conduct CMMC assessments and grant CMMC certifications. Companies such as CVG Strategy, will provide pre-assessment training, implementation and subject matter support.

Protecting Controlled Unclassified Information (CUI) has been a priority for the DOD for many years now. The effort to implement the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 (48 CFR § 252.204-7012 – Safeguarding covered defense information and cyber incident reporting) on contractors was an effort with a deadline of December 31, 2017. This new standard, CMMC, is intended to replace the implementation of NIST 800-171 for DOD Contractors.

Many DOD Contractors have contracts with the DOD and they make up a significant portion of their business. It would be catestrophic for these companies to risk failing an upcoming Cybersecurity Maturity Model Certification or CMMC audit.  Many are choosing to use CVG Strategy to perform their NIST 800-171 / CUI / CMMC pre-assessments so they know exactly what they need to do to pass the DOD Audit.

CMMC CertificationMany companies manage their cybersecurity and information security systems with a process control known as an Information Security Management System or ISMS. A common framework for an ISMS uses ISO 27001 which is an information security standard, part of the ISO/IEC 27000 family of standards, of which the last version was published in 2013, with a few minor updates since then. It is published by the International Organization for Standardization and the International Electrotechnical Commission under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.

Benefits of an ISMS Assessment (NIST 800-171 / CUI / CMMC)

ISMS Assessments by our Certified ISO 27001:2013 Lead Auditors can help you meet these compliance requirements and reduce uncertainity.  Our assessments map NIST 800-171 to the DFARS Requirements (48 CFR § 252.204-7012 – Safeguarding covered defense information and cyber incident reporting) and to the new CMMC requirements.  So we have multiple standards covered with our approach!

NIST SP 800-53 Appendix D provides informal mappings of the security requirements to the relevant security controls in NIST Special Publication 800-53 and ISO/IEC 27001. The mappings promote a better understanding of the security requirements and are not intended to impose additional requirements on non-federal organizations.

The mapping tables included in NIST 800-53 are supposed to be “for informational purposes only”.  However, they really do make sense for non-federal organizations as a basis and for linkage to other standards to have a comprehensive mapped assessment framework. Because the security controls were developed for federal agencies, much of the supplemental guidance associated with those controls may not be applicable to non-federal organizations. Some of the relevant security controls include additional expectations beyond those required to protect CUI and are considered to be tailorable using the appropriate criteria.

Our Certified ISO 27001 Lead Auditors use this NIST SP 800-53 table as a basis for mapping to NIST SP 800-171 as well as the CMMC Framework.

Compliance

Our Certified ISO 27001:2013 Lead Auditors and CISSP Consultants do the following:

  1. Perform a detailed assessment to determine your compliance level
  2. Prepare and assist in development of a Statement of Applicability (SoA)
  3. Develop the required Systems Security Plan (SSP) and Plan of Action & Milestones (POA&M)
  4. Successfully implement the security controls and requirements in NIST SP 800-171

The Statement of Applicability (SoA) forms a fundamental part of your information security management system (ISMS) and, together with the Scope, as described in 4.3 of ISO 27001:2013, will offer assurance to your auditors and other interested parties, of the depth and breadth of your ISMS. With mapping to required additional standards such as NIST 800-171, NIST 800-53, DHS 4500a and many more, the SoA is the justification that the appropriate controls have the appropriate attention and support.

Readiness – Supply Chain

The United States Department of Defense (DoD) has recently (January 31, 2020) finalized a new cybersecurity requirement that will impact all participants in their supply chain. This effort comes on the heels of the updates to existing requirements (DFARS 252.204-7012 and NIST Special Publication 800-171) which have been described as a static solution to a dynamic problem.

Identified with previous requirements found in NIST 800-171, they have permitted a plan of actions and milestones (POAM) as evidence of compliance.  Unfortunately, this was without actually requiring closure of identified open items.  With no mechanism to be certain that the actions have been taken to improve or correct deficiencies, DOD has a concern that these systems were not actually being improved. Based on several high-profile breaches where significant U.S. Military information was taken by “foreign bad actors” combined with what is assumed are hundreds of other unreported breaches, the NIST 800-171 requirement is not working. Losses per year in excess of $600B to our global adversaries are being cited by the US Government.

Theft of private sector Intellectual Property or IP is he greatest counterintelligence risk to the United States, not the theft of government data. Bad Actor Foreign Governments like China are making considerable efforts to steal U.S. IP. And the U.S. Counterintelligence Agencies are focused on stopping this in its tracks. But, they cannot do this without industry taking up some of the workload and responsibility.

Steps like implementing a replacement for NIST 800-171 like the CMMC will help to secure the supply chain and are critical to plugging the data leaks to bad actors. Cybersecurity must be baked-in across all parts of the supply chain for government contractors, and this is the goal for CMMC.  Just like other new standards and requirements, the first contractors who achieve an appropriate level of certification will likely get more and newer contracts over their competitors.

How Can We Help?

Take a look around our site and contact us for more information on how we can help you meet your challenges.

Latest News