DoD contractors, both prime and subcontractors, must comply with CMMC Certification as it is an absolute requirement of DoD contracts. Any company holding DoD contracts, even indirectly through relationships, will need to undergo audit by an approved C3PAO to ensure CMMC compliance.

Gaining certification can be challenging. Varonis can assist federal contractors in devising their remediation plan quickly.

What is CMMC?

CMMC is the Department of Defense’s security framework which requires contractors who work with sensitive government data to comply with stringent cybersecurity standards when doing so. It aims to reduce cyber threats targeting the Defense Industrial Base (DIB), protect DoD data against breaches and improve overall cybersecurity practices.

DoD contracts demand various levels of Compliance Management Management Center compliance, with rules constantly shifting and evolving. Therefore, companies seeking DoD contracts should get an early start on their compliance journey by clearly documenting any procedures or practices which meet CMMC guidelines, which will facilitate an easier certification process when the time comes.

Keep in mind, however, that a CMMC assessment cannot be challenged like a pre-award protest can. Therefore it’s critical to stay abreast of developments and make plans to meet DoD requirements when it comes to attaining certain CMMC levels. If attempting to reach Level 2, but lacking documentation is an obstacle, Varonis provides real-time visibility into sensitive files both on-prem and cloud as well as supporting compliance with all 102 Domains & Practices of Level 2 plus 110 NIST SP 800-171 Security Controls.

Level 1: Basic Cyber Hygiene

At Level 1 of CMMC, contractors practice basic cyber hygiene practices such as using antivirus software and mandating employees to regularly change passwords. Documentation of such processes helps ensure their proper implementation – all to help safeguard Federal Contract Information (FCI). This level is designed to protect it.

As is typically the case, most businesses should be able to reach Level 1 with minimal costs. Small companies that only handle FCI rather than controlled unclassified information (CUI) may even continue working with DoD if they reach this level.

Motivated contractors looking to enter the construction field will find this CMMC model an invaluable way to get their foot in the door and open doors that would otherwise remain closed to them. Contractors should stay abreast of changes to this model and take proactive measures to stay compliant with requirements, so as to maintain their level of certification over time – especially as this CMMC model develops further over the coming years.

Level 2: Security Operations

Companies that have grown beyond FCI to also deal with CUI should implement CMMC Level 2, the next level in a comprehensive security management process. It aims to enhance and build upon the foundational practices established at Level 1 while increasing overall company security.

At this level, written policies for each of the 17 domains and documented practices to implement them must be provided. Furthermore, enhanced security requirements from NIST SP 800-171 with more stringent requirements are implemented (incorporating 55 additional practices on top of those found at Level 1) so as to create 112 practices overall.

NIST SP 800-171 Rev 2 is used at this level, which organizes 110 security controls into 14 domains for assessment by assessors. Evaluating an organization against all 14 domains can be time consuming, however cuick trac offers an effortless self-assessment option to help companies navigate this process with minimal hassle or expense.

Level 3: Advanced Security Operations

Level 1 covers basic cyber hygiene while Level 2 goes a step further, demanding intermediate cyber hygiene as well as detailed documentation on practices and processes related to CMMC. Furthermore, process maturity assessment must also take place with additional practices/domains being included as part of this level.

At this level, it is necessary to develop and execute a long-term plan to implement and manage cybersecurity practices. This involves goals, missions, projects, resourcing needs, training needs and organizational stakeholders involvement as well as eight access control practices such as authentication and encryption.

The Department of Defense (DoD) introduced this security certification program to strengthen protections for the Defense Industrial Base (DIB). This complex of sensitive assets and infrastructure is often targeted for cyberattacks, with breaches leading to stolen technology such as F-35 stealth fighter jet designs being taken. As a result, DoD must ensure its contractors implement appropriate cybersecurity controls in order to safeguard this important CUI asset.