Get ready for CMMC | Step 2: Decide if you need help from external security or compliance services
Defense contractors are busy right now keeping one eye on their manufacturing operations and the other on the requirements around the Cybersecurity Maturity Model Certification (CMMC). Or, at least they should be keeping one eye on the CMMC requirements. If not, this lack of attention will lead to a rude awakening as soon as November 2020 when they won’t be able to bid on new contracts because they aren’t CMMC-compliant.
This challenge—trying to keep day-to-day production running while getting ready for CMMC—brings us to step two of the five steps we’ve identified to help defense contractors position themselves for greater success to achieve certification.
(ICYMI: Last week we discussed Step 1, where we took a look at the importance of identifying your target maturity level.)
Step 2: Determine whether you need help from external security or compliance services
Before deciding whether to engage external service providers, make sure you understand the systems that are in scope for CMMC. Controlled Unclassified Information (CUI)—the information the CMMC is looking to protect—is present not only in technical and business documents, but also in ERP solutions such as your financials and supply chain applications.
For manufacturers in the defense industrial base, bills of materials, manufacturing quality and test data, technical specifications, and supplier data could be considered CUI. Remember, that any ITAR controlled data is automatically considered CUI and will require CMMC Level 3, at a minimum. It is extremely difficult to keep this data out of your ERP systems without restricting your ability to use them to perform essential business functions.
Once you’ve got an understanding of what systems are in scope for CMMC, it’s time to look at the external security or compliance services that may help you.
When we talk about external security or compliance services, we aren’t talking about the CMMC assessors themselves. All defense suppliers will receive their certification audit from a Certified Third-Party Assessment Organization (C3PAO) with assessors who are trained and licensed by the CMMC Accreditation Body.
The assessor’s first job is to review your cybersecurity infrastructure, processes, and practices. After that review, they then evaluate whether you have achieved compliance per the standards required for your targeted CMMC maturity level. These folks are there to grade the test, not to help you prepare for it. In fact, assessors will not be allowed to audit their own organization or any organization for which they have provided CMMC consulting services.
The sort of external security and compliance services you may want to engage at this stage, however, include vendors who are experts in the CMMC, NIST, and other security frameworks. These vendors can provide expertise to help audit your cybersecurity infrastructure in preparation for the real assessment.
Working with these vendors may also speed up your preparations compared to trying to go it alone, especially if you are looking at CMMC Level 3 and above.
There are four different types of security and compliance service providers you may find helpful, depending on the cybersecurity expertise and infrastructure you may already have in-house. They include security assessment services, security control implementation services, managed security services, and managed software application services.
- External security assessment services will provide an objective evaluation of your current IT infrastructure and any documented security policies, processes, and practices. Many of these advisory organizations already exist to audit NIST SP 800-171 requirements based on current DFARS rules. Remember that CMMC extends beyond NIST SP 800-171, but this is still a good starting point before the formal CMMC assessment guidance is fully released by the CMMC AB. You should expect to receive a security gap analysis with this service.
- You should engage security control implementation services if you anticipate you’ll need help making changes to your IT systems, network infrastructure, or other aspects of your computing environment. You could engage with this vendor one-time only and transfer ongoing management and upkeep of your systems to in-house staff. Many security service providers will perform both an assessment and the implementation of additional controls to close security gaps.
- Consider managed security services if you want the same work done as provided by the security control implementation service providers, but also want the provider to continue managing your systems. With this vendor, your organization will have an ongoing relationship and contract in place for them to provide your cybersecurity services. These vendors may provide these services for systems and networks hosted for your company on-premise or provide secure data centers offsite with shared responsibility for security controls.
- Managed software application services are a step beyond managed security services. Managed software application services are where the defense supplier moves its computing infrastructure to a cloud-based software environment, and the vendor manages and maintains the hardware, software, and compliance requirements for the defense contractor.
This option also has a shared responsibility model for security, depending on the type of cloud service —whether it is infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), or software-as-a-service (SaaS).
This is also the only option that will provide defense suppliers with independent, third-party assessments of the systems—such as a FedRAMP authorization—that could significantly accelerate the documentation and demonstration of your security processes and practices for CMMC compliance. Of the 3 cloud service models, SaaS shifts the most burden onto the cloud service provider for implementing security controls.
Consider managed security services or SaaS solutions if you have limited cybersecurity experience in house or are unsure of the potential costs of managing compliance yourself, such as implementing and maintaining a new isolated IT network.
The CMMC standard is sure to add to the already full workload defense suppliers are currently managing. Bringing in third-party expertise may be the most efficient way to achieve certification, which will be required for bidding on new government contracts as soon as the end of 2020.
For comprehensive information on how to get ready for the CMMC, download our Cybersecurity Maturity Model Certification (CMMC) Best Practice Guide.
- Security & Compliance
- Aerospace & Defense
- CloudSuite Aerospace & Defense
- Infor OS
- North America