CMMC Is Here To Stay, So Take Control NOW!

If you think CMMC (Cybersecurity Maturity Model Certification) is going to go away, then think again. According to Katie Arrington, the former CISO at the Department of Defense, in a recent LinkedIn article.

“Ultimately, the risk is in the hands of the prime, and they should be requiring CMMC certification on new RFP submissions from their supply chain. It would be the thing within a bid that actually showed effort from the prime to be compliant.

It is a massive value ad for risk reduction strategies, and I can tell you it will be the thing that makes the technical evaluation boards (TEB) on these big cat-1 programs think about and review with a submission of the seriousness of the issue as a positive.

We are losing $139 million a day just within the department of defense with the lack of cyber compliance. The cost of the CMMC certification would pay for itself within a few years.”

Much of the conversation has been on the prime vendors, but what about the smaller DoD Contractors? Unfortunately, most defense contractors will have many difficulties adhering to the requirements of the Defense Federal Acquisition Regulation Supplement (DFARS0.) In addition, with the Cybersecurity Maturity Model Certification (CMMC) approaching (expected to go into effect by early summer of 2023), many of these defense firms will need to quickly formulate plans and implementation to meet the requirements of this certification.

The DOD Cybersecurity requirements spelled out in NIST 800-171 have a particular risk assessment requirement for organizations seeking CMMC certification. It states they shall “periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.”

To achieve this security requirement, organizations seeking certification, or OSCs, have to define the frequency in which they will perform risk assessments (whether it’s at least once a year when implementing significant changes affecting their system security plans or more). In addition, risk assessments need to be performed at the defined and specified frequency.

NIST defines a risk assessment as “the process of identifying, estimating, and prioritizing risks to organizational operations, organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system.”

Within these risk assessments, it will be critical for vendors to include the following asset types as part of their risk assessments: CUI Assets, Specialized Assets, Security Protection Assets, and Contractor Risk Managed Assets, as defined by the CMMC Scoping and Assessment Documents.

In the advent and propagation of IoT and other unmanaged assets, it will be especially critical for organizations to gain continuous visibility and monitoring capability on these assets. As such, IoTSecure can provide you the tools for your CMMC roadmap in a way that is out of the box and deployable instantaneously. On top of that, we provide the CMMC report you need for compliance so you can continue your business at a minimal cost.

Learn more about how IoT-mini FREE version can help you meet the below two foundational requirements out of the box:

• CM.2.0621: Inventory of ALL Devices
• RM.2.142: Vulnerability Detection

With the PAID version, starting at JUST $3000/year, you can step up that compliance by adding coverage for these two crucial requirements:

• SI.2.216: Security Monitoring
• CA.2.159: Reduce or Eliminate Vulnerabilities