For defense companies and contractors, the new year requires a crash course in learning about and adhering to new U.S. Department of Defense (DoD) cybersecurity certification standards with wide-ranging impacts. Mainstay Technologies has been closely following these efforts, which have led to the creation of the Cybersecurity Maturity Model Certification (CMMC). They have developed significant expertise to help companies navigate the numerous requirements associated with gaining certification. The company, which is a leading IT and Information Security services company in Northern New England, is prepared to help educate contractors and subcontractors within the DoD supply chain on preparing for Cybersecurity Maturity Model Certification.
CMMC is the next stage in the DoD’s efforts to properly secure the defense industrial base, which is comprised of companies contracted to create and supply products that support U.S. military operations. The announcement of a cybersecurity assessment model signals to industry a streamlining of DoD cybersecurity requirements for contractors and subcontractors, who will now be required to gain certification to prove they meet specific levels of security. These levels integrate and build upon existing regulations for companies that are already required to be NIST 800-171 compliant by contract as an example.
“CMMC is designed to help companies gain certification-based levels of required compliance which relate to the kind of work the company will be doing. Organizations such as Mainstay Technologies that have deep experience in information security and a strong understanding of compliance processes and protocols, can serve as advisors and assessors to prepare companies to meet certification requirements and audits. We believe it’s very important to share core information on CMMC in 2020 so companies can plan ahead for these changes,” said Jason Golden, chief information security officer for Mainstay.
New Hampshire and the Northern New England region, are home to several large defense contractors and a network of subcontractors that play a key role in national defense and in economic development. By making the move to require cybersecurity compliance in 2020, the DoD has demonstrated that national security is a top priority and concern for companies selected to help build products that protect our country. To ensure this happens, DoD is taking steps to further refine supply chain cybersecurity requirements and implementing a process for guaranteeing adherence to the requirements.
CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place for basic through proactive cyber hygiene. The intent is also to strengthen the protections around controlled unclassified information (CUI) that resides in DoD’s industry partners’ environments.
There are 17 domains, each comprised of specific capabilities to achieve each level of CMMC and must be considered depending on the type of work conducted by a company. Examples of domains include access controls, asset management, incident response, security assessment and personnel security. Each level is cumulative meaning the company must demonstrate achievement of previous levels. The five levels are as follows:
- Level 1 – “Basic Cyber Hygiene,” which addresses limited or inconsistent cybersecurity policies and systems
- Level 2 – “Intermediate Cyber Hygiene,” which requires established and documented policies, procedures and strategic cybersecurity plans
- Level 3 – “Good Cyber Hygiene,” which requires effective implementation of controls equal to full NIST 800-171 control set and includes assessments to measure effectiveness
- Level 4 – “Substantial and Proactive Cybersecurity Program,” which requires continuous monitoring with process optimization and proactive alerts to leadership
- Level 5 – “Advanced or Progressive Cybersecurity Program,” which requires optimized capabilities to repel advanced persistent threats. Process implementation must be standardized across the entire organization
“There are layered complexities associated with CMMC and companies are encouraged to begin investigating what is required of them as soon as possible. Mainstay Technologies has been working in this field for several years and has built up the necessary expertise to serve as a trusted partner to perform compliance assessments, identify real world risk factors, remediate any findings and carry the overall responsibility for cybersecurity long-term,” Golden said.
For defense contractors, becoming familiar with CMMC and gaining certification will be a key resolution this year to enable them to continue to engage in DoD work. In early- to mid-2020, certified accreditation organizations will be trained. CMMC requirements will appear in new RFI’s by late 2020 and accreditors will be ready to provide certification. For more information about cybersecurity services, visit the Mainstay website or reach out directly at info@mstech.com.
About Mainstay Technologies
Mainstay Technologies provides high-touch, enterprise-level IT and Information Security services to organizations that understand the important role efficiency and information security play in their company’s operational strategy. By taking time and care to understand the unique needs, processes, culture, and budget pressures of each client-partner, Mainstay builds proactive technology plans that create value and peace of mind. Established in 2004, the company’s staff of smart and passionate strategists, technologists and information security professionals set the bar for IT and cybersecurity firms across Northern New England. Learn more at mstech.com.