Department of Defense (DoD) Cybersecurity & Compliance Updates – CMMC, eMASS, DFARS, NIST, FISMA
The winds of change are blowing at the Department of Defense (DoD) with cybersecurity & compliance – and in a big way. It seems as if the federal government is finally – yes, finally – getting serious when it comes to protecting data. It’s been estimated that more than 300,000 + entities in the DoD supply chain will be impacted by new regulations relating to cybersecurity, particularly the CMMC.
Honestly, I think that number is extremely conservative and misses a large number of organizations that the DoD hasn’t even considered. Regardless, big changes are coming and here’s what federal contractors – and other entities – need to know about the monumental changes coming their way in the world of cybersecurity and regulatory compliance.
The DoD is Getting Serious with Cybersecurity
Soft enforcement. Regulations with little bark and no bite. Self-assessing one’s internal controls. That’s all coming to an end, that, according to the Department of Defense and the more than 300,000 companies in the DoD supply chain crosshairs.
According to Ellen Lord, DoD Undersecretary for acquisition and development, “We have set out an objective of coming up with new cybersecurity standards this year…We’ll have metrics by which to measure them. We’ll have third parties that can actually audit against them such as International Organization for Standardization standards we have for quality. We need for them understand: How do we put cybersecurity into the new networks we are building? How do we make sure that there aren’t back doors there? How do we make sure that data at rest stays secure?”
For Starters, Welcome to the CMMC in 2020 and Beyond
The solution, according to the DoD? For starters, how about the Cybersecurity Maturity Model Certification (CMMC)? The CMMC is the Department of Defenses new approach to dealing with growing cybersecurity and data privacy concerns with the thousands of federal contractors that store, process, transmit – and have resident in their systems – sensitive and confidential data (i.e., Controlled Unclassified Data – CUI).
And unlike DFARS NIST 800-171 – where contractors provided a System Security Plan (SSP) and if necessary, a Plan-of-Action and Milestones (POA&M) for compliance – CMMC evaluations will now be performed by independent assessors. Yes, it’s a new game for cybersecurity for federal contractors. Out with the self-assessment measures of NIST 800-171, and in with the new; auditors now auditing against the CMMC.
It’s important to note that he CMMC incorporates existing control families from DFARS NIST 800-171, but also brings in other standards, frameworks, and best practices.
CMMC – Much more than Just NIST 800-171
Specifically, “The CMMC effort builds upon existing regulation, specifically, 48 Code of Federal Regulations (CFR) 52.204-21 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, and incorporates practices from multiple sources such as NIST SP 800-171 rev 1, Draft NIST SP 800-171B, the United Kingdom’s Cyber Essentials, and Australia’s Essential Eight [4,11,12,47]. CMMC also adds a certification element to verify implementation of cybersecurity requirements. CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for flow down to subcontractors in a multi-tier supply chain.”
The result is a well-rounded program that should be a noticeable increase in cybersecurity measures for thousands of federal contractors. And with self-certification now being pushed aside for actual certification from assessors, there’s big changes coming to the world of federal cybersecurity when it comes to the DoD. A quick peek into the window of CMMC and here’s what you need to know:
The vision of the CMMC is to be a unified cybersecurity standard for DoD acquisitions to reduce exfiltration of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB).
- The CMMC will combine various cybersecurity standards and best practices.
- The goal of the CMMC is for a cost-effective and affordable cybersecurity framework for small businesses in the DoD arena.
- There are (as of 2020) 17 “Domains”, with “Capabilities” within each of the Domains.
- “Capabilities” are essentially various practices and processes, which will then be mapped to CMMC Level 1 to Level 5.
Familiar with eMASS? You Need to be
According to the DoD, “eMASS is a cybersecurity governance, risk, and compliance (GRC) tool that provides an integrated suite of authorization capabilities to improve cyber risk management, including context to understand mission impact by establishing process control mechanisms for obtaining authorization to operate (ATO) decisions.” With eMASS seeking to automate more of the DoD’s cyber risk management and ATO measures, it’s important to work with a proven, trusted firm for helping navigate the changes, and that’s FLANK.
In short, eMASS has essentially become the DoD’s recommended tool for information system Certification and Accreditation (C&A). In short, eMASS automates the C&A process, manages workflow among user roles, and generates a variety of reports based on user needs (i.e., FISMA compliance, etc.) As such, the functional capabilities of eMASS have evolved in response to requirements from DoD leadership and operational user feedback.
Documentation WILL be Critically Important for DoD Cybersecurity Compliance
One of the most fundamentally important measures for ensuring compliance with the wave of DoD cybersecurity compliance requirements is documentation. That’s right, policies and procedures and other supporting materials are – and will continue to be – a big part of DoD compliance. Documentation needs for the likes of FISMA, DFARS, CMM, RMF – and more – include the following:
- Access Control
- Incident Response
- Cybersecurity Governance
- Configuration Management
- Change Control/Change Management
- Systems Development Life Cycle
- Security & Patch Management
- Network Security
That’s just a small sample of the policies and procedures you’ll need. Thankfully, FLANK provides a robust set of policy toolkits for helping federal contractors stay compliant with the long and never-ending list of DoD compliance measures.
Here’s How FLANK can Help with DoD Cybersecurity Compliance
1. Help with scoping issues. All of today’s major DoD and federal compliance reporting frameworks – CMMC, FedRAMP, NIST 800, and more – require a thoughtful approach that should always begin with an upfront scoping & readiness assessment. After all, understanding scope in terms of what controls are to be assessed, locations, personnel involved – and more – is not only beneficial, but essential to the long-term success of one’s compliance endeavors.
2. Developing security policies and procedures. Writing policies and procedures is an incredibly time-consuming measure for many of today’s growing DoD reporting requirements. From CMMC to eMASS and more, such a process can take literally dozens and dozens of hours. FLANK offers industry leading templates that save both time and money on critical policy development. Whatever your needs are for information security policies and procedures, we can help.
3. Remediating critical control gaps. No organization has a picture perfect control environment. FLANK can help in developing all necessary documentation, along with remediating technical, security, and operational controls as needed for DoD compliance.
4. Writing System Security Plans (SSP). A System Security Plan (SSP) is an essential component for many of today’s federal compliance reporting measures. FLANK has years of experience in authoring SSPs for a wide-range of client needs.