The CMMC started within the Department of Defense (DoD) to reduce the theft of military intelligence, but as expected, it doesn’t look like it will be long before it spreads to other sectors. There’s interest in amending Sarbanes-Oxley to include CMMC, which will impact the financial sector. Don’t fear this is just an additional burden – the CMMC model is set up to be clearer and easier to implement. Standardization in security compliance is a win for businesses trying to juggle multiple requirements.
Federal Contract Information (FCI) is information, not intended for public release, that is provided by or generated form the Government under a contract to develop or deliver a product or service to the Government. It excludes information provided by the government to the public, or simple transactional information, such as that necessary to process payments.
Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at https://www.dodcui.mil/CUI-Registry-New/
The CMMC Program provides assessments at three levels, each incorporating security requirements from existing regulations and guidelines.1
Level 1: Basic Safeguarding of FCI
Level 2: Broad Protection of CUI
Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats
For details of Assessment and Affirmation requirements and use of PAO&M, visit About CMMC
It is best to start with understanding your current state and how it compares to the desired level requirements. Where you THINK you stand is often very different from where you actually stand. The use of POA&M (Plan of Action and Milestones) must be closed out within 180 days for Levels 2 + 3, and not permitted for Level 1. You must reach all requirements before you are considered certified. There’s no “we are working on it”.
Most companies benefit from partnering with a company well educated in cybersecurity and compliance. It seems every IT company says they do the same thing, whether they have 5 employees or 50. Can that be true? No, but how can you tell?
It’s hard to understand the difference in the quality of staff, although experience and certifications can be a good indicator. As for cybersecurity and compliance, measure your partners against this checklist.
Experience in Risk Assessments mapped to compliance standards.
There’s a lot of information out there, just like this post. Be sure to go straight to the source, that is what we do. https://dodcio.defense.gov/CMMC/About/
619 Main St
Vincennes, IN 47591
812.726.4500