Saturday, October 12, 2024

CMMC Final Rule: What Defense Contractors Need to Know and Do Before December 2024

The final rule for the Cybersecurity Maturity Model Certification (CMMC) program is set to be published in the Federal
Register on October 15, 2024. Once it does, it will become law in 60 days. 

The final CMMC rule represents a significant step in enhancing cybersecurity in the defense sector. While it introduces new compliance requirements, it offers a more flexible and cost-effective approach for many contractors, especially small businesses handling only FCI. Companies should start preparing to meet the necessary requirements when the rule takes effect. 

 

Here's a breakdown of what this means:

 

CMMC Overview

 

CMMC is a program designed to enhance cybersecurity across the Defense Industrial Base (DIB). It aims to verify that defense contractors comply with existing Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) protections.

 

Key Changes and Benefits

 

Simplified Certification Levels

  • Level 1 (Foundational): Requires 15 basic cybersecurity practices
  • Level 2 (Advanced): Requires 110 security practices from NIST SP 800-171
  • Level 3 (Expert): Requires 110+ practices from NIST SP 800-171 and a subset from NIST SP 800-172

The new structure potentially reduces costs for many small businesses:

  • Level 1: Allows for annual self-assessment, which is more cost-effective
  • Level 2: May require third-party assessment or self-assessment, depending on the program
  • Level 3: Requires government-led assessment

 

This tiered system allows companies to implement security measures commensurate with the sensitivity of the information they handle.

 

 Impact on Contractors


  • Contractors must determine their expected CMMC level(s) for future contracts. In most cases, they will be told by their prime, which will be mandated by the contract.
  • They need to ensure all information systems supporting DoD contracts are accounted for in compliance planning
  • Subcontractor compliance must be assessment
  • Internal policies and procedures should be reviewed and updated to ensure compliance

 

Implementation Challenges and Solutions

 

The implementation of CMMC presents significant challenges, particularly for smaller defense contractors. 

 

Here's an overview of the situation and potential solutions:

  •  Even Level 1 certification requires a substantial investment, which can be difficult for smaller companies to manage
  • Cyber security requirements have been law since 2012, but they were never taken seriously. Government waffling and poor communications left companies uneasy about the potential spend. As a result, it was not considered a business necessity, and many companies are still not adequately prepared due to poor communication and multiple delays
  • Smaller companies often need more in-house expertise to implement complex cybersecurity measures.

 

For many small defense contractors, outsourcing CMMC compliance to a specialized Managed Security Service Provider (MSSP) like Trusted Internet is generally the fastest and most cost-effective route to compliance. 

 

What’s the difference between your current MSP and an MSSP? 

 

  • An MSP (Managed Service Provider) focuses on general IT management, including network administration, software updates, and helpdesk support. 
  • An MSSP (Managed Security Service Provider) specializes in cybersecurity and offers services such as threat monitoring, incident response, and compliance management. 
  • MSPs ensure IT efficiency, while MSSPs protect against cyber threats.

 

How does Trusted Internet help?


Trusted Internet offers a no-cost CMMC Baseline Assessment Workshop: Trusted Internet offers a comprehensive workshop to help small defense contractors achieve CMMC compliance:

  • A half-day in-person or online session where contractors answer assessment questions using a virtual dashboard
  • Participants receive a scorecard and a detailed spreadsheet outlining the necessary steps for compliance.
  • The workshop provides baseline policies written for the chosen compliance level.

At the end of the day, contractors will leave with a baseline assessment, written policies, simplified roadmap compliance, and a control-by-control spreadsheet that can be copied into SPRS.

 

What comes next? The final steps involve:

  • Procedure Development: Creating specific procedures based on the policies.
  • Technology Implementation: Implement Trusted Internet's comprehensive technology stack within 3-4 weeks to rapidly enhance your organization's security posture and meet CMMC compliance requirements.

The CMMC final rule presents challenges, especially for small defense contractors. However, outsourcing your security to Trusted Internet and participating in specialized workshops can provide a cost-effective and much more efficient path to compliance than going it alone. These approaches offer small businesses the expertise and resources to meet CMMC requirements without overwhelming their internal capabilities or budgets.

 

Want to sign up for a Trusted Internet CMMC Workshop? Sign up here to be notified of upcoming events. 

 

GET CMMC HELP NOW





No comments: