Blog

Getting ready for CMMC compliance

The latest out of the DoD indicates there’s little change as to when CMMC guidelines will be implemented. The first contracts requiring CMMC certification are still expected to come online in the Fall of this year. For companies in the DIB, this means there’s no let-up in the pace for getting ready for CMMC.
 
Last week, PreVeil spoke with Peerless Tech Solutions, a Maryland-based MSP that specializes in government and DoD regulatory compliance, with a particular focus on CMMC. We spoke with them about how DIB companies can get started on improving their cybersecurity compliance in the run-up to CMMC. Our conversation below was edited for clarity and brevity.
 

 
PreVeil: You guys are keeping a close pulse on how well companies in the DIB are understanding CMMC regulations. How are you explaining the importance of CMMC to them and what it means for their cybersecurity hygiene.
 
Peerless: We explain the importance along the following paths:

  1. Identify where it exists
    We start by explaining to them that CMMC is designed to improve the cybersecurity of the DoD and, moreover, protect controlled unclassified information (CUI) from getting into the hands of our adversaries. I mean, some of them don’t even realize that they have CUI on their platform. So, we help them identify where that information might exist.
  2. Importance of flow down
    We also make it clear that CMMC is not just about CUI in your organization but CUI that flows down to subcontractors. Information is typically stolen several levels down in the DIB. So, while it might be well protected by the prime or first level sub, it is not all that well protected by the supplier 4 levels deep.
  3. Tool for differentiation
    Lastly, we tell them it is important to get on the path to CMMC compliance today because it’s a competitive advantage. It’s important to get out in front of this and differentiate yourself. If they are ready in the next few months and everyone else waits, well then they are 90 days ahead of everyone else when CMMC hits.

 
PreVeil: How do you coach those clients focused on NIST to get to where they need to be with CMMC?
 
Peerless: First of all, far fewer people are aware of NIST than are aware of CMMC. There just wasn’t the type of outreach and publicizing on NIST 800-171 like Katie Arrington has done with CMMC. And it shows. You have maybe 8% of companies at most that are NIST compliant.

8% of (DIB) companies at most that are NIST compliant.

But for those who were thinking about NIST, we tell them that it was an early step but it didn’t really have an enforcement arm behind it. While NIST 800-171 made clear that if you have CUI you need to take steps to protect it, it also allowed you to self-certify. CMMC is designed to ensure all companies in the DIB are compliant. NIST couldn’t achieve that.
 
Today, following NIST will only get you to level 1 or level 2 of CMMC compliance. However, it won’t get you to level 3 certification. There are an additional 20 controls that they need to get their arms around. And then they will need to pass an assessment. So, NIST 800-171 is really just in an advisory role in this process.
 

PreVeil: Is there anyone in the DIB yet who doesn’t realize this thing called CMMC is coming? Is there anyone not taking it seriously?
 
Peerless: I think most are taking it seriously. However, their problem is not knowing the road map they should follow. They are just looking for someone to tell them how to go forward and get onto the path of compliance. It’s just that there are so many ways to get there. No two companies are the same so everyone is going to have their own path and that’s what makes it confusing for a lot of folks.

[DIB companies] are just looking for someone to tell them how to go forward and get onto the path of compliance.

PreVeil: What pushback are you getting from your clients on CMMC compliance? What are they having trouble understanding?
 

Peerless: The main pushback is how do I get started. Folks are looking for guidance on this. Most folks know they have to do this.
 
What they are worried about though is cost. They want to become compliant. But, they are worrying about how much it is going to cost to become compliant. And, if we don’t have vision into their processes and they are not clients, we can’t easily give them an answer.
 
What we do advise in this case is to look at the cost in terms of how much a breach would cost them. They would lose clients and reputation. That thought usually gets them focused on getting started with compliance sooner than they otherwise might.
 

Learn more about what the DoD’s new CMMC requirements mean for contractors.
Download our whitepaper


PreVeil: What do you tell clients about how to start on improving their cybersecurity compliance?
 

Peerless: Honestly, the biggest challenge in getting started with this process is just all the misinformation around which solutions will address the issues you need for compliance. There are a lot of cloud productivity vendors and it’s easy to think that if you put data in a certain cloud it will meet compliance. But, this isn’t necessarily the case. And these types of mistakes can be expensive. So, it’s important to do your homework and know where you are and where you need to go.
 

To get started on the path, we first tell customers to determine where they are in terms of cybersecurity and if they are handling CUI. If they are handling CUI, they need to determine how much of the company is actually working with this type of information.
 

Once they determine where they are and what type of information they are handling, they should determine the gaps between where they are and where they want to be and create a POAM for how to get to where you are supposed to be.
 
Some companies are handling very basic information that is not CUI so they really only need to get to a level 1. For them, getting to compliance is going to be easy. They just need to ensure they have proper firewalls, anti-virus, and back-ups.
 
For others who are handling CUI, the process is more involved. They need to determine if their whole organization needs to be level 3 compliant or if an enclave approach is more appropriate, whereby only part of their company needs to embrace a compliance solution.

Some companies are handling very basic information that is not CUI so they really only need to get to a level 1. For others who are handling CUI, the process is more involved.

They also need to look at what level of risk are they are willing to take. How well can they trust everyone in their organization to respect CUI? Depending on their answer, they might need more or less security around viewing and exchanging data.
 
PreVeil: How do you see end-to-end encryption and file sharing, solutions like PreVeil, helping companies in the DIB get started on their path to compliance?
 
Peerless: Earlier, I mentioned that depending on what a company finds in terms of their need for securing CUI across the company, they might find that they need to secure every employee or they might find that they can use an enclave approach – meaning they deploy to a section of the company.
 
PreVeil’s end-to-end encryption solution provides a perfect platform for the enclave approach because it is light weight and easy to implement to just those users who need to protect CUI in a portion of their company. It enables significant cost savings and its faster time to deploy than just about any alternative. This is particularly true for small to mid-sized companies. It’s a great fit for them.
 
PreVeil: Before we finish up, is there anything else DIBs should be aware of when it comes to CMMC?
 
Peerless: Yes, two things, first, the difference between CMMC and NIST 800-171 is CMMC is an organizational certification for any business planning to do business with the DoD. NIST 800-171 was put in place to protect data, with the data being CUI or CDI when it is present within a DIBs internal information system.
 
Second, until we have final guidance from the CMMC-AB around the certification process we can’t guarantee, nor do we promise anyone that they will meet the criteria. To this point we DO know the controls required for each level, what we don’t know is how in-depth those controls will need to be to pass the audit and obtain the certification. But, we can and are preparing those early adopters so that when that information is available minor changes can be made and they can be first in line for their certification audit.
 
PreVeil: Well thank you very much for your time and talking to us.
 
Peerless: Thank you.


Learn more about how PreVeil can facilitate your compliance with CMMC. Download our whitepaper!

Download Whitepaper