Preparing for a Cybersecurity Maturity Model Certification (CMMC) 2.0 assessment can be completely overwhelming. Here’s the good news: If you’re NIST 800-171 compliant, you’re more than halfway there. If you’re not, you’ve got some work to do for sure, but it’s not as complicated or daunting as you may fear.
Created by the National Institute of Standards and Technology, the NIST 800-171 framework is a companion document to NIST 800-53 and dictates how contractors and sub-contractors of federal agencies should manage Controlled Unclassified Information (CUI). It's also designed specifically for non-federal information systems and organizations in the Defense Industrial Base (DIB) who must implement the recommended requirements contained in NIST SP 800-171 to demonstrate they have adequate security to protect the covered defense information included in their defense contracts, as required by DFARS.
NIST 800-171 is a comprehensive set of requirements containing 28 basic security requirements and 81 derived security requirements. That’s a total of 110 requirements, which includes 320 total objectives, across the entire scope of NIST SP 800-171!
If a manufacturer is part of the supply chain for the U.S. Department of Defense (DoD), General Services Administration (GSA), NASA or other federal or state agencies, the implementation of the security requirements included in NIST SP 800-171 is a must.
Where Does CMMC Fit?
CMMC is the DoD program that enables DIB contractors to protect against the compromise of sensitive defense information on their systems. CMMC is intended to standardize and raise the bar for cybersecurity among DIB contractors -- essentially creating a procurement gate that a contractor must pass to be eligible to bid and execute upon a government contract. It uses CMMC third-party assessment organizations to evaluate contractors’ compliance with certain mandatory practices, procedures and capabilities related to evolving cyber threats.
With a goal of strong data confidentiality, CMMC requires 100% of the controls are met. Anything less is non-compliant, making a delay in implementing costly due to risks and penalties.
In November 2021, the DoD announced CMMC 2.0. This new revision to the program includes three certification levels that reflect the maturity and reliability of a company’s cybersecurity infrastructure. The three levels are tiered and build upon each other’s technical requirements.
NIST based 800-171 on 800-53, but removed controls, or parts of controls, that were uniquely catered to federal organizations. The framework now consists of 14 Control Families, whereas CMMC 1.0 contained 17 Domains.
NIST 800-171 is a guideline for non-federal organizations that must securely process CUI content, within internal and external information systems, in support of federal activities. For government contractors supporting the DoD, CMMC 2.0 Level 2 and DFARS 7012 require NIST 800-171 compliance across information systems and policies.
The Impact of CMMC Will Expand
The impact of CMMC cannot be understated with expected expansion covering civilian agencies, research universities, allies, and GSA’s STARIII contracts. Here are some anticipated examples:
- Cyberspace Solarium Commission report suggested implementation of CMMC for civilian agencies
- CMMC will change how research universities approach security
- Department of Homeland Security may follow DoD CMMC model
- CMMC requirement is showing up in GSA STARIII contract
- U.S. allies are considering adoption of CMMC
All indications are that many federal contracts beyond DoD will soon require CMMC 2.0 compliance. Depending upon your business' previous investments and current security posture, it is strategic and cost effective to implement security solutions that satisfy NIST 800-171 by leveraging Microsoft 365 (M365) and Microsoft Government Community Cloud (GCC) and Government Community Cloud High (GCC High).
We Take the Risk and Complexity Out of Migration
Daymark is a Microsoft Licensing Partner for Microsoft 365 Government Community Cloud (GCC), GCC High and Azure Government. GCC and GCC High are secure platforms designed for U.S. federal, state, and local governments, as well as for organizations that deal with government data that falls under strict regulatory requirements. GCC High enables DIB organizations to meet compliance requirements of CMMC 2.0 Level 2.
Our proven methodology, phased approach and Microsoft expertise enable organizations to securely transition to GCC High. Our migration services ensure a smooth transition from Microsoft 365 to GCC High, Exchange to GCC High or Google to GCC High with a streamlined, five-step migration approach that includes design & planning, configuration, testing & pilot, migration, and project completion. The entire migration effort can be accomplished in as little as 4-6 weeks.
Start Your Compliance Journey Today
The next 9 months will be critical for organizations to prepare for CMMC 2.0, and finding an RPO (Registered Provider Organization) is more important than ever in order to fully understand the CMMC 2.0 timeline, the rules that are in place today, as well as the skills required to ensure organizations are assessment-ready come July 2023. Given these factors, we are quickly transitioning our clients from the "early adopters" phase of CMMC, to ensuring that they do not miss the boat.
Our Government Services Team provides the services and solutions required for CMMC readiness. We help DIB contractors as small as 10 and up to 6,000 users:
- Map existing security and compliance policies to CMMC controls and provide gap analysis
- Build secure enclaves using Swivel Seat and green field methodologies
- Design and implement complex hybrid or full cloud IaaS and PaaS secure environment
- Migrate data, applications and systems from existing environments to secure enclaves
- Ensure readiness for CMMC self-assessment with step-by-step, pre-audit guidance
Contact us to start your compliance journey today.