CMMC Certification – We Can Help!

As a Cybersecurity and NIST Consultant, we are prepared to help Department of Defense (DoD) companies and contractors to develop their Cybersecurity Maturity Model Certification (CMMC) programs.

The development of CMMC has been a concern for companies in the Defese Industrial Base (DIB) and many have voiced concerns that the CMMC was creating barriers to participation in the DoD acquisiton process.  These concerns have been amplified as new versions of the proposed requirements have been released.

For many defense contractors, their DoD contracts comprise a significant portion of their business.  These companies must reach a required level of compliance for cybersecurity.  Many are choosing to use CVG Strategy to perform their NIST 800-171 / CUI / CMMC assessments.

What is CMMC?

Protecting Controlled Unclassified Information (CUI) has been a priority for the DOD for many years now. The effort to implement the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 (48 CFR § 252.204-7012 – Safeguarding covered defense information and cyber incident reporting) on contractors was an effort with a deadline of December 31, 2017.

As final release has repeatedly been delayed, new interim requirements and versions of the requirements have been released.  With the release of CMMC 2.0 in November of 2021 many organizations are still struggling to adopt the necessary controls and protocols.  Despite the fact that a final release is still pending, the DoD has repeatedly encouraged companies to move ahead with their programs.

Integrating Information Security Management Systems

Many companies manage their cybersecurity and information security systems with a process control known as an Information Security Management System or ISMS.

A common framework for an ISMS uses ISO 27001 which is an information security standard, part of the ISO/IEC 27000 family of standards, of which the last version was published in 2013, with a few minor updates since then. It is published by the International Organization for Standardization and the International Electrotechnical Commission under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.

CMMC Certification

Benefits of an ISMS Assessment (NIST 800-171 / CUI / CMMC)

ISMS Assessments by our Certified ISO 27001:2013 Lead Auditors can help you meet these compliance requirements and reduce uncertainity.  Our assessments map NIST 800-171 to the DFARS Requirements (48 CFR § 252.204-7012 – Safeguarding covered defense information and cyber incident reporting) and to the new CMMC requirements.  So we have multiple standards covered with our approach!

NIST SP 800-53 Appendix D provides informal mappings of the security requirements to the relevant security controls in NIST Special Publication 800-53 and ISO/IEC 27001. The mappings promote a better understanding of the security requirements and are not intended to impose additional requirements on non-federal organizations.

The mapping tables included in NIST 800-53 are supposed to be “for informational purposes only”.  However, they really do make sense for non-federal organizations as a basis and for linkage to other standards to have a comprehensive mapped assessment framework. Because the security controls were developed for federal agencies, much of the supplemental guidance associated with those controls may not be applicable to non-federal organizations.

Some of the relevant security controls include additional expectations beyond those required to protect CUI and are considered to be tailorable using the appropriate criteria.

Our Certified ISO 27001 Lead Auditors use this NIST SP 800-53 table as a basis for mapping to NIST SP 800-171 as well as the CMMC Certification Framework.

CMMC Compliance

Our Certified ISO 27001:2013 Lead Auditors and CISSP Consultants do the following:

  1. Perform a detailed assessment to determine your compliance level
  2. Prepare and assist in development of a Statement of Applicability (SoA)
  3. Develop the required Systems Security Plan (SSP) and Plan of Action & Milestones (POA&M)
  4. Successfully implement the security controls and requirements in NIST SP 800-171

The Statement of Applicability (SoA) forms a fundamental part of your information security management system (ISMS) and, together with the Scope, as described in 4.3 of ISO 27001:2013, will offer assurance to your auditors and other interested parties, of the depth and breadth of your ISMS. With mapping to required additional standards such as NIST 800-171, NIST 800-53, DHS 4500a and many more, the SoA is the justification that the appropriate controls have the appropriate attention and support.

Readiness – Supply Chain

The United States Department of Defense (DoD) has recently (January 31, 2020) finalized a new cybersecurity requirement that will impact all participants in their supply chain. This effort comes on the heels of the updates to existing requirements (DFARS 252.204-7012 and NIST Special Publication 800-171) which have been described as a static solution to a dynamic problem.

Identified with previous requirements found in NIST 800-171, they have permitted a plan of actions and milestones (POAM) as evidence of compliance. 

Unfortunately, this was without actually requiring closure of identified open items.  With no mechanism to be certain that the actions have been taken to improve or correct deficiencies, DOD has a concern that these systems were not actually being improved.

Based on several high-profile breaches where significant U.S. Military information was taken by “foreign bad actors” combined with what is assumed are hundreds of other unreported breaches, the NIST 800-171 requirement is not working. Losses per year in excess of $600B to our global adversaries are being cited by the US Government.

Theft of private sector Intellectual Property or IP is he greatest counterintelligence risk to the United States, not the theft of government data. Bad Actor Foreign Governments like China are making considerable efforts to steal U.S. IP. And the U.S. Counterintelligence Agencies are focused on stopping this in its tracks. But, they cannot do this without industry taking up some of the workload and responsibility.

Steps like implementing a replacement for NIST 800-171 like the CMMC will help to secure the supply chain and are critical to plugging the data leaks to bad actors. Cybersecurity must be baked-in across all parts of the supply chain for government contractors, and this is the goal for CMMC certification requirements.  Just like other new standards and requirements, the first contractors who achieve an appropriate level of certification will likely get more and newer contracts over their competitors.

SPRS Assessments

An SPRS Cybersecurity Assessment is a requirement for businesses providing products or services to the Department of Defense (DoD).  This Supplier Performance Risk System assessment is to be completed by the contractor before DoD contracts can be awarded.  

This requirement was released as an interim ruling on September 29, 2020 to provide protection of Controlled Unclassified Information (CUI) until the Cybersecurity Maturity Model Certification (CMMC) framework is fully implemented.  The interim ruling, DFARS 252.204-7012, places immediate cybersecurity requirements on Department of Defense (DoD) supply chain contractors

The assessment is based on a scoring methodology of security requirements based on the NIST SP 800-171 DoD assessment methodology.

CVG Strategy Information Security Management System Consultants

We can help you prepare for your organiztion’s CMMC certification.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more.  Contact us to learn more.

 

How Can We Help?

Take a look around our site and contact us for more information on how we can help you meet your challenges.

Latest News