Feds Take IT Security To The Next Level

The nation is stepping up its IT security game going into 2021, and it all starts with government initiatives.

Earlier this year, the Department of Defense introduced their Cybersecurity Maturity Model Certification (CMMC), the latest development in an IT security strategy for defense contractors. The certification is a requirement for new contractors to verify their IT security on all levels, from employee passwords to handling Controlled Unclassified Information (CUI). The new rules are designed to guarantee a strong, competent baseline of compliance with DoD expectations for IT security providers, a decisive step in the right direction for national IT security.

To choose its IT security providers, the Pentagon holds bidding contests for interested entities, while approved third party appraisers assess the entities and determine their eligibility. With the implementation of the CMMC, these contracted entities will also need to abide by a heightened level of IT security.

Now, a critical deadline approaches: December 1, for the first fifteen contracts the Pentagon will award to newly selected compliant providers. The providers will need to meet and maintain the CMMC’s new standards, while also adhering to individual agency standards, depending on the sensitivity of the information being handled.

Compliance Conditions

The CMMC lays out five levels of compliance. Level one identifies 17 “domains” of cybersecurity, which concern whether the provider uses antivirus software or frequently updates their passwords, and mandates that providers have a control for each of the domains.

Level two involves the Pentagon assisting providers in planning, budgeting, and preparing to handle IT security at higher levels. Level three involves an exponential increase in required controls—from 17 to 110, derived from the National Institute of Standard & Technology compliance requirements—to ensure the provider’s ability to manage CUI. Levels four and five are by far the most intense, adding controls meant for high-priority providers that work on more sensitive contracts.

On December 1, the Pentagon will announce its new CMMC-compliant contracts, as well as pilot programs it plans to launch in 2021. The programs involve everything from Cyber Command to the Missile Defense Agency, and all of the providers involved will be required to meet the 110 controls listed in level three.

Notably, the CMMC runs on a “go/no-go” principle—providers at higher levels of compliance must meet all the preceding levels of compliance, including the seemingly basic controls at level one. And although that may seem easy, experts warn that level one protocols can be the easiest to miss.

In fact, your organization may already be closer than most to working for the Pentagon – or at least mimicking its high standards. If you change your passwords regularly, implement two-factor authentication, and make sure to appropriately label sensitive documents (yes, this is a real IT security shortcoming!), you have an idea of the controls the CMMC calls for at level one—the sort of basic protocols that can make your everyday security that much more resilient.

But the DoD isn’t just raising their standards for the sake of national security. It also hopes to inspire IT security companies to reevaluate their vulnerability management. Failure to meet with IT security regulations to begin with, or to identify and patch issues in a timely fashion, creates critical weaknesses in the IT security supply chain—so it’s important to ensure your compliance on all levels and at all times.

Partners With Equally High Standards

The DoD’s exhaustive selection processes will undoubtedly help them secure strong partners for the agency’s IT security. When vetting vendors yourself, not all are created equal. Be sure to ask the right questions to find the right partner.

You might be a Pentagon security hopeful, a small-to-medium size business, or just a private organization trying to make it through unprecedented times. Whatever the case, your IT security is worth prioritizing, and you can start with affordable, customizable offerings that address your unique organization’s needs. 

For more information, contact us today.

Posted in BAI Security Blog, Compliance Requirements, Cyber Security Audits and tagged , , , .