Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
With the start of a new year, organizations hoping to do business with the U.S. Department of Defense (DoD) need to be more aware than ever of Cybersecurity Maturity Model Certification (CMMC) requirements.
If you’re new to the world of CMMC, this blog post offers a comprehensive overview of what the standard is, what it’s intended to do, and why it’s so important. For organizations that are already versed on the basics of CMMC compliance and are working toward achieving the appropriate maturity level, the interview below with Darren Van Booven, Lead Principal Consultant at Trustwave, CMMC Registered Practitioner, and former CISO of the U.S. House of Representatives, can help you assess your CMMC readiness for 2021.
Q: What is the current state of the CMMC framework? What should organizations be doing to be eligible for contracts?
Darren: The official first version of the CMMC framework was released in early 2020. However, to formally implement CMMC within DoD’s procurement system, there needed to be an update to the Defense Federal Acquisition Regulation Supplement (DFARS). That DFARS update has now happened, and the interim final rule went into effect on November 30th. With the DFARS update the DoD supply chain and CMMC Marketplace are waiting on two things. The first is the introduction of CMMC requirements inside procurement solicitations. Right now, the DoD is able to start doing that. In a December 15, 2020 news release, the DoD announced the CMMC pilot contracts on a select group of new acquisition opportunities within the U.S. Navy, U.S. Air Force, and Missile Defense Agency. Because CMMC is being phased in over a period of 5 years, not every DoD contract will contain CMMC requirements at first.
The second step, which is what the DoD is anticipating, is for the CMMC Accreditation Body to certify enough third-party assessors who can perform the actual certification reviews to the point of meeting the demand. Right now, DOD is doing provisional assessments, which do not result in real certification. Official CMMC assessments resulting in certifications will begin in the coming weeks and months.
But that process is in place – and the CMMC Accreditation Body has said that the organizations that will get priority when it comes to achieving their certifications will be those who need to respond to the initial RFPs. That’s important – there are about 300,000 members of the defense supply chain and everyone can’t be certified at once.
Q: What advice and guidance are you offering to your clients?
Darren: The questions I get the most are from organizations who know what CMMC is, but don’t necessarily know how it will affect them, and what they should be doing now. So, the guidance I would offer is threefold:
These are all things that organizations should be doing now – so they’re not rushed later on.
Q. How can Trustwave help?
Darren: One of our strengths, as a full-service security company, is that we can help you make implementing CMMC compliance easier. You’ll need to do your planning and assessment by looking at your practices and finding your gaps. You’ll need to identify and find your data, so you can properly protect it. You’ll need to remediate gaps like missing policies, monitoring controls that might not be in place, managed testing services, and more. Trustwave can help with the entire process.
Department of Defense (DoD) requires proof of CMMC compliance to ensure protection of controlled unclassified information (CUI) from nation-state and nefarious actors, while keeping the supply chain running safely. Is your Cybersecurity maturity plan at the desired level to participate in the US government contract bidding process?
As breaches continue to be more commonplace, data infractions have continued to grow as well. In addition, threats to critical government assets also continue to increase in frequency and stealthiness. It is, therefore, paramount that agency visibility, control and cybersecurity plans continue to expand to face these threats by protecting national security and uninterrupted production. Fortunately, the DoD and other critical government groups have begun mandating cybersecurity capabilities for all vendors in their supply chain to meet NIST 800.171, NIST 800.53 and CMMC today.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.