If you do any type of business with the Department of Defense, then you’re most likely familiar with the current standard of security requirements under NIST 800-171 that dictate the security requirements to keep Controlled Unclassified Information (CUI) safe when stored on non-Federal systems.
This standard was first introduced in 2015 and became mandatory at the end of 2017. It covers just about all aspects of system monitoring and data security, including but not limited to:
- Access Control
- Audit and Accountability
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Risk Assessment
- System and Information Integrity
A new standard that’s due to be released in January of 2020 is going supersede the NIST 800-171 requirement. That new standard is the Cybersecurity Maturity Model Certification (CMMC), and it’s designed to offer a more practical approach to complying with DoD cybersecurity compliance.
We’re going to give you an overview of the new CMMC standard, how it differs from its predecessor, and what you need to know to be ready for it so the new requirement won’t disrupt any of your government business.
How Does CMMC Differ from NIST 800-171?
Is the CMMC part of the 800-171? No, it’s a completely new standard. And while it will naturally contain similar cybersecurity best practices, it is not an evolution of the older standard, but rather it will take from several different security standards.
There are two major ways that these DoD security standards differ and impact government security compliance for small businesses.
Only Implement the Requirements Needed
A big difference between 800-171 and CMMC is that CMMC will implement multiple maturity levels of cybersecurity. These levels will range from “Basic Cybersecurity Hygiene” to “Advanced.”
This means that depending upon the type of business you do with the Department of Defense, you may only need to meet a Level 1 requirement, rather than having to meet all of them. This can be a significant cost-saver for smaller businesses who won’t need to implement unnecessary security protocols.
3rdParty Certification will be Required
Under NIST 800-171, contractors could self-attest to compliance with the standard. But with CMMC, DoD contractors will have to have 3rdparty certification (such as from an IT professional) that they’ve complied with the appropriate security level.
This means that if you’re bidding on a contract that requires a Level 1 certification, a 3rdparty will need to provide verification that you’ve implemented all of the required Level 1 controls included in the CMMC framework.
At the heart of the standard are the five levels, which are referred to as Level Practices. Prior to the standard being released to the public in January of 2020, there may be some revisions. The details below are as of September 2019.
Level 1: Basic Cyber Hygiene, includes 35 practices
Level 2: Intermediate Cyber Hygiene, includes 115 practices
Level 3: Good Cyber Hygiene, includes 91 practices
Level 4: Proactive, includes 95 practices
Level 5: Advanced/Progressive, includes 34 practices
Here are some of the main things you need to know about CMMC compliance expectations for DoD contractors.
Why the Change?
The main reason given for the change from the NIST 800-171 standard to the CMMC framework is a response to a series of high-profile breaches of Department of Defense information. This caused a reevaluation of the security controls currently in place to see how they could be improved upon.
Contractor Compliance Requirements
While the standard will be released in January, it will take time to roll out CMMC, so you’re currently still required to comply with the NIST 800-171 standard.
June of 2020 is when it’s expected that CMMC requirements will begin to appear as part of Requests for Information.
How Will You Get Certified?
Businesses should coordinate directly with an accredited and independent third-party commercial certification organization. You’ll request the proper level of certification, and upon meeting the requirements will be awarded a certification for that level.
How Often is Reassessment Needed?
The duration of the certification has not been decided yet.
If I’ve Had a Breach, Do I Lose Certification?
No, you won’t automatically lose CMMC certification if you’ve been compromised, however you may be requested to do a recertification, depending upon the circumstances.
Does My Organization Have to Be CMMC Certified?
Yes, once the standard becomes a requirement, you must have CMMC certification to business with the DoD.
Is Certification Reimbursable?
Yes, the cost of the CMMC certification will be considered an allowable, reimbursable cost.
Get Your Cybersecurity Questions Answered by the Pros
If you have any questions about cybersecurity requirements for the DoD or for compliance with any other standards, such as HIPAA or PCI-DSS, Texas I.T. Pros are here to help! We can provide a full security assessment and let you know where you stand.
Contact us today to set up your I.T. security assessment at 940-239-6500 or reach out online.