CMMC Compliance for Defense Industrial Base (DIB) Contractors: An Accelerated Certification Guide
The U.S. Department of Defense announced CMMC 2.0 as a way to simplify the required Cybersecurity Maturity Model Certification (CMMC 1.0) asked of all DoD contractors, while focusing on the most advanced tools available. Their announcement ensures accountability, instills a collaborative culture of cybersecurity and cyber resilience and enhances public trust in the department. Full compliance is due in 2024.
Read on for high-level details about CMMC, what all defense contractors must do to be compliant, the benefits of becoming compliant now and how to get started here.
“CMMC 2.0 will dramatically strengthen the cybersecurity of the defense industrial base,” said Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements.”
What is the Cybersecurity Maturity Model Certification (CMMC)?
The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment. Under the CMMC 1.0, it was due to become reality for most companies in 2024 or 2025. Now, CMMC 2.0 may be included in all new solicitations as early as August 2022, and no later than November 2023.
POA&Ms (Plan of Action & Milestones) allowed for a few practices to extend the deadline to compliance for those practices by 180 days. For plans outlined in the POA&M, they must be time-based and enforceable.
Read more on the Department of Defense CMMC information page
The CMMC Trust Levels
The level of certification necessary will depend on where you fall in the supply chain. There will be several dozen or more subcontractors working in concert to provide the necessary materials, time, and technologies to support the prime contractor. The prime contractors and the government sponsor are responsible for the entire supply chain for CMMC levels.
What Are The Changes in CMMC 2.0?
With the implementation of CMMC 2.0, the Department is introducing several key changes that build on and refine the original program requirements. These are:
- Streamlined Model – streamlines from 5 to 3 compliance levels and uses National Institute of Standards and Technology (NIST) cybersecurity standards
- Reliable Assessments – allows companies at Level 1 (and some at Level 2) to self-certify. Higher accountability of third-party assessors.
- Flexible Implementations – in a spirit of collaboration it allows some companies to use POA&M’s to achieve certification and adds flexibility and speed.
The Fast Track to CMMC 2.0 Compliance
CMMC 2.0 is still a complex solution. That’s why TekStream and Splunk came together to create a simple way to help you adapt to this new compliance model. Learn how one client achieved CMMC readiness in under 30 days and discover how you can too.
The Benefits of Early Action and Where to Start
Acting early puts you ahead of the curve, prepares you to meet DoD needs now and opens an opportunity for pathfinder contracts (if applicable). So, where should contractors start?
There are a number of consultants offering compliance assessments and reviews, but the quickest and most effective way to kick off your CMMC effort will be a tandem partnership with a prescriptive solution and implementation consultancy.
TekStream and Splunk have partnered to bring you the exact solution and expertise you need to make getting -and staying – compliant as seamless as possible.
Using Splunk, TekStream’s team can help you achieve CMMC readiness
in as little as 30 days.
It seems like a bold claim, but we’ve done hundreds of NIST/CMMC compliance solutions that provide a platform for automated monitoring of all relevant compliance data on an enterprise level. The implementation of a comprehensive CMMC 2.0 monitoring, alerting, and security application provides the underpinning of our solution. No one needs another lengthy compliance assessment, and although an analysis of gaps and existing procedural controls is critical, it need not be the first step.
Gaps can be identified in the process of implementing the solution.
Essentially, the process starts with gathering all of the available relevant compliance sources across your enterprise and implementing automated practice compliance. Gaps are naturally discovered in the process of implementation, then augmented with SSP process descriptions and/or POA&M entries to defer compliance for specific practices.
By partnering with TekStream and Splunk, you’ll be getting:
- Installation and configuration of Splunk, CMMC App, and Premium Apps in mere weeks.
- Pre/Post CMMC Assessment consulting work to ensure you are meeting or exceeding CMMC level requirements.
- Optional MSP/MSSP/compliance monitoring services to take away the burden of data management, security, and compliance monitoring.
TekStream and Splunk have partnered to bring you the exact solution and expertise you need to make getting – and staying – compliant as seamless as possible. Once you’ve gone through CMMC 2.0 with TekStream, compliance and auditing is ongoing and monitored on an automated basis for each practice and summarized in a centralized auditing dashboard.
It significantly reduces risk of non-compliance and the cost and effort associated with attestation every three years.
If you’re already using Splunk, this opportunity should be a no brainer.
If you are new to Splunk, what better way to procure a best-in-class security, compliance, and operational intelligence platform?