How Do You Identify If You Need CMMC?

by Jacob Acker | Feb 1, 2023 | Cybersecurity Maturity Model Compliance

IDENTIFYING CMMC

You may need CMMC if your organization handles controlled unclassified information (CUI) for the US Department of Defense (DoD) and intends to bid on DoD contracts that require it. CMMC compliance is mandatory for all organizations that want to perform work for the DoD and handle CUI as part of that work.

Additionally, if your organization is involved in supply chain management or works with other organizations that handle CUI for the DoD, you may need to demonstrate compliance with CMMC to maintain those relationships.

It is important to note that the CMMC is only applicable to organizations that are directly involved with the DoD and handle CUI. If your organization does not fall into this category, it may not need to comply with the CMMC.

If you are unsure if your organization needs CMMC, it is recommended that you consult with a professional who is familiar with the requirements of the DoD and the CMMC framework.

HOW DO YOU KNOW IF YOUR ORGANIZATION HANDLES CONTROLLED UNCLASSIFIED INFORMATION?

Here are some steps to determine if your organization handles controlled unclassified information (CUI):

1. Review your contracts and agreements: Review any contracts or agreements with the US Department of Defense (DoD) or other government agencies to determine if they require the handling of CUI.

2. Assess your information systems: Assess your information systems and data to determine if they contain any information that is considered CUI. This information may include sensitive but unclassified (SBU) information, confidential business information (CBI), or other sensitive information that is not classified but still requires protection.

3. Review your data protection policies and procedures: Review your organization’s policies and procedures for data protection and security to determine if they specifically address the handling of CUI.

4. Consult with experts: Consult with cybersecurity experts, legal counsel, or other professionals who are familiar with the handling of CUI to determine if your organization is handling this type of information.

It is important to note that CUI includes a wide range of information, including technical data, software, and systems, as well as non-technical information such as personnel, financial, and legal information. If your organization handles any of this type of information, it is important to ensure that appropriate controls are in place to protect it.

WHAT ARE THE DOWN FLOW REQUIREMENTS OF CMMC?

The down flow requirements of the Cybersecurity Maturity Model Compliance (CMMC) refer to the requirements that organizations must meet in order to comply with the CMMC framework. These requirements flow down from the DoD to its contractors and suppliers who handle controlled unclassified information (CUI).

The CMMC framework consists of multiple levels, ranging from basic cybersecurity hygiene to advanced and proactive security practices. The specific down flow requirements for each level of the CMMC vary, but generally include the following types of controls:

1. Access controls: Controls to ensure that only authorized individuals can access CUI.

2. Asset management: Controls to ensure that CUI is properly identified, classified, and protected.

3. Configuration management: Controls to ensure that systems and devices used to handle CUI are configured in a secure manner.

4. Identity and access management: Controls to manage and monitor the identities of individuals accessing CUI.

5. Incident response: Controls to ensure that incidents involving CUI are promptly detected, reported, and responded to.

6. Maintenance: Controls to ensure that systems and devices used to handle CUI are properly maintained and updated.

7. Media protection: Controls to protect CUI during storage, transportation, and disposal.

8. Personnel security: Controls to ensure that personnel who handle CUI are properly vetted and trained.

9. Recovery: Controls to ensure that CUI can be recovered in the event of an incident.

10. Risk management: Controls to manage and mitigate the risks associated with handling CUI.

These are some of the down flow requirements of the CMMC. Organizations must meet the requirements for the specific level of the CMMC that they are being assessed against. It is important to note that the down flow requirements for the CMMC are subject to change as the framework evolves and new threats emerge.

LET'S DISCUSS CMMC

Cybersecurity Insurance: Protect Your Business in the Digital Age

by Jacob Acker | Feb 1, 2023 | Cybersecurity Insurance

CYBERSECURITY INSURANCE

In today’s digital age, cyber threats are on the rise and can have devastating consequences for businesses of all sizes. Hackers and cyber criminals are constantly devising new ways to penetrate computer systems and steal sensitive information. This is why cybersecurity insurance is becoming increasingly important for IT clients.

Cybersecurity insurance provides financial protection against the costs associated with a cyber attack or data breach. This includes costs such as legal fees, public relations expenses, and compensation to affected customers. With the increasing frequency and sophistication of cyber threats, having this insurance in place can provide peace of mind and help mitigate the financial impact of a cyber attack.

ICS Data understands the importance of cybersecurity insurance for its IT clients. Our team of experts works closely with clients to understand their specific needs and tailor our insurance offerings to provide the best possible coverage. We believe that our clients deserve the best protection against cyber threats, and we are committed to providing them with the highest level of security and peace of mind.

In addition to our cybersecurity insurance offerings, ICS Data also provides a range of other IT services designed to help protect our clients from cyber threats. Our team of experts can help you implement strong security measures, such as firewalls and encryption, to reduce the risk of a cyber attack. We also provide ongoing monitoring and support to ensure that your systems remain secure and up-to-date with the latest security patches.

In conclusion, cybersecurity insurance is essential for IT clients in today’s digital age. With the increasing threat of cyber attacks, having this insurance in place can provide financial protection and peace of mind in the event of a breach. ICS Data is committed to providing the best possible coverage and security to its clients, and we believe that our expertise and dedication set us apart as the best choice for IT clients looking for cybersecurity insurance.

FIVE REASONS WHY AN SMB SHOULD HAVE CYBERSECURITY INSURANCE:

1. Financial Protection: Cybersecurity insurance can provide financial protection against the costs associated with a cyber attack or data breach, such as legal fees, public relations expenses, and compensation to affected customers.

2. Peace of Mind: Knowing that you have financial protection in place can provide peace of mind and help mitigate the stress of a cyber attack.

3. Expert Support: Cybersecurity insurance often includes access to experts who can help you respond to a cyber attack and minimize its impact on your business.

4. Compliance: Certain industries, such as healthcare and finance, have strict regulations regarding the handling of sensitive information. Cybersecurity insurance can help ensure that your business is in compliance with these regulations in the event of a data breach.

5. Competitive Advantage: Having cybersecurity insurance can demonstrate to customers and partners that your business takes the protection of sensitive information seriously, which can give you a competitive advantage in a crowded market.

LET'S TALK CYBERSECURITY INSURANCE

What is CMMC and How Does it Affect Me?

by Jacob Acker | Jan 16, 2023 | Compliance

WHAT IS CMMC?

Any organization (manufacturing company) hoping to work within the defense contract supply chain will need to meet the standards set by the Cybersecurity Maturity Model Compliance (CMMC). Managed by the Department of Defense (DoD), the CMMC is a tiered system of compliance measures, which are intended to evaluate the maturity of the organization’s cybersecurity systems, processes, and contingencies. CMMC was introduced in 2020, refined in 2021, and will be fully required by 2026.

Even if you’re a (manufacturing) organization that’s not looking to work with the DoD – being CMMC compliant can benefit you because it works to actively improve your cybersecurity measures.

CMMC describes a (manufacturing) company’s preparedness against key security issues. A low score on the CMMC model means that your organization is ill-prepared for potentially malicious actions, whereas a high score on the CMMC model will mean that your organization has taken active, critical steps toward mitigating malicious actors.

There are three tiers of certification in the CMMC 2.0 model:

CMMC level 1, “Foundational,” is the most basic level of compliance. This includes basic security practices, including access controls, implementing identity controls, and performing password protection. Level 1 companies don’t have a complete security strategy, they only know the basics. Many organizations start here, then improve their security solutions.
CMMC level 2, “Advanced,” is a reasonably advanced level of security compliance. If your (manufacturing) organization is hoping to work with Controlled Unclassified Information (CUI), then you will need this level of compliance. Organizations hoping to achieve Level 2 will need to follow the 110 best security practices aligned with NIST SP 800-171.
CMMC level 3, “Expert,” is the highest level of certification and what most organizations should aspire to be at. Organizations should be practicing advanced and progressive cyber hygiene, continually optimize their security processes, and analyze their network traffic. Organizations will need a sophisticated understanding of auditing, accountability, access control, and incident response. Achieving CMMC Level 3 will require an organization to follow a set of 110+ practices based on NIST SP 800-172. It will also require government-led audits, as opposed to the third-party audits necessary for achieving Level 2.

HOW DOES IT AFFECT ME?

It’s important to focus on the maturity part of the Cybersecurity Maturity Model Certification: compliance is everchanging.

New threats and defenses are established all the time, so an integral part of compliance at any level is maintaining that compliance. This can be challenging, and it is a major process to meet CMMC requirements.

Creating, enforcing, and maintaining security controls take time and when certification is available, manufacturers (you) don’t want to be left behind.

We may experience a backlog from those that are ready for certification between now and when the certification goes live. And remember that meeting CMMC Level 2 will be required for all Department of Defense (DoD) contractors, with self-attestation being minimum for Level 3 capabilities with third-party certification being required for some contractors.

There is also a complete culture shift involved with achieving the above levels of certification. Everyone needs to be aware of their role upholding compliance at every level of your organization. Therefore, these new compliance requirements mean more than just a change to the policies of your IT department. More importantly, there will be changes to how information is handled throughout your organization, and IT will underpin these changes across each department.

PRO TIP: HOW ICS DATA HELPS WITH CMMC COMPLIANCE

A business can think of CMMC as a measure of their general cybersecurity health. While CMMC has been designed specifically for DoD contracts, most of the requirements of CMMC apply to any organization dealing with critical, personally identifiable or protected information.

To tackle most DoD contracts, organizations will need basic CMMC compliance. But, that doesn’t mean that achieving better compliance shouldn’t be the ultimate goal of an organization and its IT team.

By working with us, a business can ensure that they are moving toward better cybersecurity — including CMMC compliance requirements. An organization won’t need to devote significant amounts of internal time toward compliance and will be able to achieve better compliance faster.

GET STARTED WITH CMMC COMPLIANCE TODAY

[Live] CMMC 2.0 Ongoing Updates

by Jacob Acker | Nov 23, 2022 | Compliance

GET THE LATEST CMMC 2.0 UPDATES HERE!

2022 – Q4

CMMC: The Latest

• Rule to be sent to OIRA October 2022.
• Final interim/proposed rule to be released March 2023.
• Rule in contracts beginning May 2023.
• CMMC compliance takes 9-12 months.
• Sec. 866 of the 2022 NDAA requires a report on the impact of
CMMC on small businesses within 180 days. The report must
include:
− the estimated costs of complying with each level of the
framework;
− any decrease in the number of small business concerns that
are part of the defense industrial base resulting from the
implementation and use of the framework; and
− an explanation of how the Department of Defense will mitigate
the negative effects to small business concerns that are part
of the defense industrial base resulting from the
implementation and use of the framework.”

2022 – Q3

CMMC: The Latest

• How it will work:

− DoD entered into an MOU (and now contract) with a
single CMMC Accreditation Body (AB).
− The AB will implement the CMMC model, train and
certify assessors, and evaluate assessments. The
AB sits between DoD and the contractors.
− There will be three levels of assessment with the
third being the most stringent.
− DoD will assign a CMMC rating to each contract
and only contractors that have had a successful
assessment at that rating can perform.
− It is unknown who will assign certification levels
required to subcontractors and enforce that.

How to Receive Funding for DoD Cybersecurity Compliance

by Jacob Acker | Oct 26, 2022 | Compliance

The DoD Cybersecurity Compliance is the Cybersecurity Maturity Model Certification (CMMC 2.0).

What is this?

The CMMC program is aligned to DoD’s information security requirements for Defense Industrial Base partners (those of whom create products or services that allow for the sustainability or deployment of military operations).

Why’s it important?

Michigan Cyber Defense is created a CyberSmart program that provides $22,500 to small to medium-sized businesses to help obtain the CMMC 2.0.

LEARN MORE

My company sells products or services for the military… How do I get $22,500 for CMMC 2.0?

Talk to us – we’re a pre-approved CyberSmart resource for the state of Michigan.

We conduct your gap analysis and can assist in writing your System Security Plan and Plan of Actions and Milestones. Moreover, we can help you become certified.

How do I know if I need the CMMC 2.0 Compliance?

If you create products or services for the military, you need the compliance. If you create products or services for another company that works with the military, you’re going to need the compliance.

Many times, we say that if you’re ITAR certified, you’re going to need the CMMC 2.0 certification.