CMMC Level 3 = Adequate Security. Otherwise, “no-go.”
The Department of Defense (DoD) has been requiring adequate security since the release of DFARS 252.204-7012 in the Fall of 2016.
Now, the DoD is stepping up its game with the Cybersecurity Maturity Model Certification (CMMC).
Why? Because DFARS 252.204-7012 was originally built on trust.
The implicit expectation was that defense contractors could be trusted to self-assess their own cyber security maturity level. Since cyber can be hard to do well, this was a tall order for small business contractors who are not cyber experts.
The DoD has stated multiple cases and instances where this is not working across the Defense Industrial Base.
With certification, comes proof and attention to detail.
The cybersecurity landscape for defense contractors is always going to evolve, because the threats will always evolve. The CMMC will help the DoD build a stronger and more secure defense system.
Self-Assessing PLUS Subject Matter Expertise
As mentioned above, prior to the Cybersecurity Maturity Model Certification, the DoD relied on “trust” of contractors to comply with cybersecurity requirements.
Under the DFARS 252.204-7012 clause, contractors are allowed to self-assess and respond “yes or no” when asked if they have the 110 NIST SP 800-171 controls in place. The DoD has said this method of trust is not working as a stand-alone plan of action.
Katie Arrington (Chief Information Security Officer for the assistant defense secretary for acquisition) leads the CMMC team. Here is her quote on trust from a recent cybersecurity summit in Washington, DC:
It’s trust but verify, and we couldn’t make that work with self-attestation because there’s no way to verify it
Reports, surveys and audits (like the DODIG report from July, 2019) show that contractors are not investing the same amount of time and effort towards cybersecurity, as they do on quality and cost of their products or services.
Can we really blame them?
Cybersecurity is a subject matter that requires expertise. No different than making a specific widget for the DoD does.
Self-assessments are always a good idea to keep progress moving internally; and then utilizing a subject matter expert can verify progress.
The DoD is not asking small to medium size businesses to implement Fort Knox’s level of security. They are requiring adequate security and good cyber hygiene.
That is what they Cybersecurity Maturity Model Certification is all about.
Tax paying citizens of the United States of America do not want the DoD buying “basic” or “average” products and services to build defense systems to protect our country, right?
Then why should we be OK with the DoD buying from organizations who have basic or average security protecting the intellectual property that protects our country?
Working with subject matter experts to verify progress of implementation is vital to maintaining an adequate security program.
CMMC Level 3 is Adequate Security
When breaking down the CMMC and looking at each of the five levels, one major difference between CMMC Level 2 and CMMC Level 3 is on-going security management.
Controls are becoming “practices” and “processes.” Just because an organization has purchased security solutions, does not mean they are properly in place or correctly implemented.
Going from “average” to “good” means a contractor’s security is an on-going program, thus always in place. Not just at audit time.
Implementation, when done incorrectly, is a major security risk to any business. For cybersecurity to become the foundation of an organization, security always needs to be top of mind.
Top of mind security helps an organization achieve adequate security. By implementing CMMC Level 3 requirements, that is what an organization will achieve.
How does a business who specializes in making top quality products for the DoD, also specialize in keeping an adequate security program in place?
Work with subject matter experts.
Not just cybersecurity experts, but those who understand the defense contracting space as well.
There is no blinky box solution to DFARS 252.204-7012 and NIST SP 800-171. However, there are practical and affordable solutions available (more on that below).
Implemented vs Compliant
A CMMC 3rd Party Assessment Organization (C3PAO) is going to be asking for proof from defense contractors on how they process, store and transmit Controlled Unclassified Information (CUI).
When DFARS 252.204-7012 was released, the idea of “compliance” became the term that concerned everyone.
Being compliant meant identifying an organization’s gaps via an assessment mapping back to the NIST SP 800-171 controls (all 110 of them). From there, a System Security Plan (SSP) and Plan of Actions and Milestones (POAM) were to be developed and followed.
Compliant? Yes. Implemented? Not unless the POAM is complete.
Guess how many contractors completed their POAM by the DFARS deadline of December 31, 2017?
Implementation of the NIST SP 800-171 controls is different than compliance. The “trust” factor is out the window, contractors now have to prove implementation.
China and Russia do not care if a business is compliant, they care if the business has implemented effective security controls!
If an organization handling CUI has the practices and processes of CMMC Level 3 in place, at all times, they become a difficult target.
Right now, it is easy for adversaries to steal intellectual property. We need to make it difficult.
Utilize a 3rd party’s expertise and guidance on how to become a secure and difficult target through full implementation, not just check-the-box compliance.
“What if We Fail Our Audit?”
The release of the Cybersecurity Maturity Model Certification has caused a lot of defense contractors to sit up straight. Some are nervous, some are stressed, some are confused.
Rather than taking the risk of go/no-go passing or failing, get prepared and implemented now.
The Cybersecurity Maturity Model Certification team has not released the protocol for failed CMMC audits.
Perhaps that’s on purpose because they want trustworthy feedback on what others think that process should look like, so they can do it right.
Wasting large amounts of time and resources on consultants who charge through the roof, only to tell organizations what they are missing (rather than solving the problem) doesn’t help a business. Especially the small business.
A practical, affordable and secure solution already exist. It’s called CUICK TRAC.
The Adequate Security Solution to CMMC Level 3
CUICK (quick) TRAC is built for the small to medium size business defense contractor. Every DFARS 7012/NIST SP 800-171 Rev 1 technical and non-technical requirement, implemented, in as few as 14 days.
In order to become CMMC Level 3 certified, contractors will need NIST SP 800-171 Rev 1 as a baseline. All additional practices and processes required to be CMMC Level 3 (once officially released), will also be included with CUICK TRAC.
TRAC stands for Training, Risk Assessment, Administration and Controls. These 4 elements are the core to a good security program.
When it comes to DFARS 252.204-7012, separation of duties is a key component to the requirements.
Security cannot do IT’s job and IT cannot do security’s job. They need to collaborate with each other.
A handful of problem solvers (from both cybersecurity and IT) realized the only true way to secure small business defense contractors, was through collaboration. Not through competition.
Built from the ground up, based solely on the 110 NIST 800-171 controls, CUICK TRAC allows small business contractors to process, store and transmit Controlled Unclassified Information, while being fully implemented to CMMC level 3 requirements (NIST 800-171 rev 1 + additional practices and processes).
Who wants to take a test they know they will fail? That is not constructive for anyone.
Get implemented with CUICK TRAC, where the 3rd party assessment happens after implementation. That way, the business is prepared for their CMMC audit with confidence!
Be confident. Be Proud.
The supply chain of the DoD is unique. A large portion of it is made up of small businesses. Think about how great that is…small businesses working together to defend our country. Again, collaboration!
Protecting the war fighter should instill a sense of pride. Confidently knowing the organization is consistently going to meet the requirements of the Cybersecurity Maturity Model Certification, gives businesses a competitive advantage over their competitors.
CUICK TRAC allows defense contractors to buy down risk and buy up certainty.
Achieving adequate security and good cyber hygiene is a challenge, but it doesn’t need to be daunting. In fact, businesses receive a challenge coin after implementing CUICK TRAC!
Protect the business, protect the warfighter and protect our country.
Beryllium InfoSec Collaborative (“Beryllium” for short), is an information security and cyber security company located in Minneapolis, Minnesota. As a small business owned by veterans, Beryllium has 80-plus years of industry experience across industry & government. We are National Institute of Standards and Technology (NIST) information security experts, who know the balance of security needs and operational requirements. NIST provides the definitive compilation of guidelines that all other standards are derived from, either partially or wholly.
Beryllium is unique, in that we use strategic collaboration, education, and a holistic approach to information security & cyber security. From small to medium size businesses (SMBs), to enterprise organizations, our expertise of the NIST information security & cyber security guidance allows us to build unique, compliant & cost-effective solutions for any organization.