Defense Industrial Base, Cybersecurity Maturity Model Certification, CMMC
Attacks keep happening against DIB partners and hacker attention has turned to the smaller contractors for access to the Prime contractors
The DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).
Serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
The level of certification required depends upon the Controlled Unclassified Information (CUI) that your company handles or processes. Unlike past certifications, self certifications are being eliminated. All audits must be done by a 3rd party Certified CMMC Auditor
It is reasonably expected that the U.S. Government will terminate contracts with prime contractors over non-compliance with DFARS / NIST 800-171 requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance will cause a prime contractor to be non-compliant, as a whole.
If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information (e.g., False Claims Act).
Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a DFARS / NIST 800-171-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., DFARS / NIST 800-171 cybersecurity controls).
CMMC is still in Draft and less than 12 months away, so it is important to start implementing the NIST 800-171 & Draft-CMMC 0.7 security requirements now. Implementing the NIST 800-171 requirements includes:
Perform a detailed assessment to determine your compliance level with detailed remediation actions to comply with DFARS/CMMC requirements
We develop the required Systems Security Plan (SSP) and Plan of Action & Milestones (POA&M), so you can provide documented evidence to the DoD or your Prime that you’re on your way towards compliance
Inceptus Protection Plans are designed to fill the gaps exposed in your assessment. We bring the fundamentals back to cyber and blend them with bleeding edge processes and technologies to detect, deter, defend, respond and recover from threats anywhere in your business ecosystem
Successfully implement the security controls and requirements in NIST SP 800-171, NIST 800-171b and CMMC 0.7 and provide evidence for a successful audit