Sometimes, government requirements and regulations can make you feel like you are Alice falling down new rabbit holes, trying to figure out just what exactly your business needs to do to win (and keep) your contracts and subcontracts.
Do you need to be NIST certified? SP 800-53 or SP 800-171, or both? What are FARS and DFARS? Are UK NCSC Cyber Essentials, or AU ACSC Essential Eight in any way relevant?
The goal of the CMMC is to consolidate everything into one (hopefully) simple model. So instead of chasing requirements, they are right there and easy to find. It is a “Maturity Model” with five different levels called “Maturity Levels (ML); each level is essentially a stepping stone to the next level, meaning you can’t achieve ML 5 until you have also achieved ML 1-4.
The problem right now is that everything still seems up in the air, and the uncertainty of not knowing exactly what you are supposed to be doing can be nerve-wracking. What can you do??
What we recommend is working on achieving ML 3 for the time being, and here is why:
- ML 3 is essentially cybersecurity best practices. Even if you are not required to achieve ML3, it is still a good idea to protect yourself from hackers, who can shut down your company and compromise your business.
- You should already be NIST SP 800-171 certified NOW. While there are a few extra security measures added to ML 3, if you have all NIST SP 800-171 security controls in place now, passing CMMC ML3 will be relatively easy. UNTIL CMMC IS FULLY IN PLACE, YOU CAN LOSE YOUR CONTRACT IF YOU ARE NOT ACTUALLY NIST SP 800-171 CERTIFIED.
- Competitive Advantage. Not only could it help you win new contracts that DO require your business to be ML3 certified, if you are competing for a contract, you can let them know you have gone above and beyond in your cybersecurity measures.
We also have a little secret for you… while there are often some slight differences, most of these regulations’ security controls are based on NIST SP 800-171; NIST SP 800-171 is considered “cybersecurity best practices” so it will give you a REALLY strong foundation to grow from.
Also, as far as the DoD is concerned, they are not trying to trick their contractors and subcontractors. Regardless of how it might somehow feel, they are not rooting for your failure; on the contrary, they are attempting to keep their data safe. That’s the whole point of the CMMC. Katie Arrington, Chief Information Security Officer for the Office of the Under Secretary of Defense for Acquisition and Sustainment noticed a trend: NIST SP 800-171 self-reporting was NOT working. Contractors were constantly victims of cyber attacks and something needed to be done about it because it was putting the US Federal Government at risk. They understood that cybersecurity and safety were hard to achieve and they decided to make it easier.
So while it may seem uncertain and confusing at first, especially considering the fact that not everything is in place yet, the goal is to help you protect your business against hackers. We here at Petronella Technology Group are familiar with the security controls and we recommend starting your journey to cybersecurity sooner, rather than later. Give us a call at 919-422-2607 or schedule a free meeting online by clicking here.