The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Level 2 is based on the 110 security practices from NIST SP 800-171 rev 2. These practices are designed to protect controlled unclassified information (CUI) within the defense supply chain. For most DoD contractors, achieving CMMC Level 2 compliance is now mandatory, but the process is challenging. Organizations must navigate evolving requirements, implement technical controls, manage costs, train their workforce, and prepare for stringent audits. Here’s an overview of the top challenges contractors face along with the best practices for overcoming them.
Appalachia Technologies Blog
Appalachia Technologies team is comprised of a diverse mix of IT professionals, some of whom have been on the forefront of IT since the industry’s inception. Through the years, our team has developed a wide array of experience in understanding individual needs and how they relate to your business.
Anyone offering a sure-shot solution to all your Cybersecurity Maturity Model Certification (CMMC) woes is trying to pull a fast one on you. The CMMC is a comprehensive move by the U.S. Department of Defense (DoD) that involves many moving parts and will take years to implement fully.
The Cybersecurity Maturity Model Certification (CMMC) was formally made part of the Defense Federal Acquisition Regulation Supplement (DFARS) in January 2020 and updated to CMMC 2.0 in November 2021. The decision affected more than 300,000 defense industrial base (DIB) members, and many found themselves drowning in all kinds of unnecessary noise surrounding CMMC and its implications on existing and future government contracts.
In your city or town, you know that stretch of road or highway that feels like it has been under construction for 10 years? In many ways, the development of CMMC can feel like it too is marked with orange cones and will be underway for years. From the most significant change of CMMC 1.0 (the OG version) to the November 2021 update to CMMC 2.0, to even the CMMC-AB name change to The Cyber AB, new information seems to keep coming with timelines shifting. While The Cyber AB holds monthly Town Hall webinars to share updates, the DoD and various vendors are also sharing out information via webinars. Recently, PreVeil, a DoD supplier, along with members of the Manufacturing Extension Partnership, hosted a webinar with DoD leaders Stacy Bostjanick (DoD CMMC Program Head) and Dave McKeown (DoD CISO) to review recent updates and timelines.
Even organizations with solid cybersecurity programs will have findings from a security assessment. After all, cyber attacks and attackers continue to learn and evolve, always trying to be one step ahead of their prospects. Through our years of performing security assessments, here are the Top 5 areas that we have found to need remediation work post-assessment.
In a previous blog post, we discussed how to calculate your SPRS (Supplier Performance Risk System) score in support of your CMMC (Cybersecurity Maturity Model Certification) efforts. In that same blog, we also provided a free tool to help you calculate your SPRS score automatically.
In this follow-on blog, we’ll talk about how to provide your SPRS score to the DoD, which is a whole other chore once you’ve actually determined what your score is. In order to access the part of the SPRS website where your score is uploaded, we first need a CAC (Common Access Card) or a DoD approved medium assurance ECA (External Certification Authority) certificate. The primary purpose of this certificate is to ensure that the individual person entering the score is who they actually claim to be (non-repudiation), in addition to ensuring the confidentiality of the data.
This month’s release of the much-anticipated CMMC 2.0 left many of us in the world of cybersecurity shaking our heads. We have been working diligently with the defense industrial base for several years now, even before the CMMC was created, to stop the bleeding of our defense secrets to our adversaries. As a veteran and a Patriot, I, along with many other Americans, take this very serious problem personally.
I started writing SSP’s (System Security Plans) well before the original Executive Order mandated deadline of December 31st 2017 and have since written at least 50 SSP’s for defense contractors of every imaginable type and size. There wasn’t a lot of guidance on how to do this at that time, other than to have a very thorough and complete understanding of the nearly 500-page NIST 800-53 framework.