In the Boardroom: How to Sell Your Need for GRC Tech
Let’s dive into what GRC software is and why it’s a must-have going forward.
Data protection is essential for every organization. For organizations with government contracts, data protection and overall cybersecurity posture can be a matter of national security. In November 2021, The Department of Defense announced enhancements to its upcoming cybersecurity framework: The Cybersecurity Maturity Model Certification (CMMC).
CMMC 1.0 was announced in 2020, but the Department of Defense (DoD) updated the framework in response to industry comments, Congress, and other federal agencies. The updated set of standards is known as CMMC 2.0. However, CMMC 2.0 will not be enforced until it completes an extensive rulemaking process, which takes between nine and 24 months.
The CMMC framework creates a set of tiered cybersecurity standards that will apply to government contractors to ensure that the 300,000+ companies in the defense industrial base (DIB) supply chain maintain a strong cybersecurity posture. The three-tiered system is based on the contractor’s access level, with each tier requiring different assessment levels and requiring specific practices.
Companies with government contracts can start preparing for compliance now. The DoD has developed Project Spectrum to help organizations evaluate their posture and make necessary changes.
Additionally, LogicGate’s Risk Cloud® platform can help organizations better understand their overall GRC status. CMMC 2.0 is closely aligned with NIST 800-171 and NIST 800-172, so complying with these frameworks will make significant progress towards future CMMC compliance.
It’s essential for any organization with government contracts or plans to acquire them, to prepare for compliance now. Read on to learn everything you need to understand about this critical new cybersecurity framework that will impact any organization with DoD contracts.
A 2018 research paper was released by Mitre Corp, with the support of the DoD, entitled, “Deliver Uncompromised: A Strategy for Supply chain Security and Resilience in Response to the Changing Character of War.” The study highlighted the increased level of threats facing the DoD network, information, and supply chain. In addition, the paper included specific recommendations on how the DoD can minimize these threats by enacting more robust cybersecurity measures for every third party it contracts.
The paper motivated DoD to launch CMMC 1.0 on January 21, 2020, to dictate how government contractors must protect and secure access to all DoD assets. The goal of CMMC is to establish a set of robust security standards as pre-existing criteria before the DoD reviews other competitive factors, such as scheduling, performance, and cost.
“Risk-based security should be viewed as a profit center for the capture of new business rather than a ‘loss’ or an expense harmful to the bottom line.”
— Mitre Corp in its paper, “Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War.”
However, CMMC 1.0 drew criticism from industry experts and other government officials. CMMC 2.0 was later announced in 2021 as a response to these comments. The goal of the updated version of the framework is to:
A significant change with CMMC 2.0 is that it will not be enforced until it has completed the rulemaking process. Additionally, tiers that allow for self-assessment will not require attestation by corporate executives, which puts renewed focus on the business-wide emphasis on excellent cybersecurity.
So, when is the CMMC compliance deadline? CMMC 2.0 will be implemented through a rulemaking process before becoming a requirement. The DoD has suspended its original CMMC piloting efforts, and the new framework will not be a requirement until formalized, except for select pilot contracts. Once complete, CMMC 2.0 will be a requirement.
CMMC 2.0 will apply to all third parties within the defense supply chain, including contractors, vendors, and any other contracted third parties related to the support of the DoD.
Once the rulemaking process is complete and CMMC 2.0 is enforced, organizations will undergo assessments based on these levels to ensure they have a strong cybersecurity posture.
The CMMC framework was established in response to the growing number of cybersecurity threats, attacks, and vulnerabilities targeting DoD contractors. Successful attacks gave malicious actors backdoor access to sensitive information assets, some of which are threats to national security.
CMMC 2.0 creates a unified framework for future DoD acquisitions. The intent is to mandate uniform and effective cybersecurity practices for all contractors. CMMC will also be incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS), which is used to award contracts. CMMC intends to serve as a verification mechanism to:
CUI is information that requires safeguarding or other dissemination controls under applicable laws, regulations, or government-wide policy. The CUI Registry discusses the specific types of information that must be protected, with a list ranging from Critical Infrastructure to International Agreements.
FCI is information not intended for public release and is provided by the government under contract to develop or deliver products or services to the government. You can view more information about FCI on the official government website.
DoD contracts have access to either or both CUI and FCI. Access to these types of information necessitates the enforcement of effective cybersecurity, as detailed by CMMC.
The original CMMC had five maturity levels, but the enhanced CMMC 2.0 has reduced them to three tiers. CMMC 2.0 also eliminates all maturity processes and unique CMMC 1.0 security practices, instead aligning closely to NIST frameworks.
The new tiered-based assessment process introduced with CMMC 2.0 calls for three tiers of assessments based on the level of information access. These assessment levels can be summarized as follows:
Additionally, CMMC 2.0 has 14 domains, down from 17 in CMMC 1.0. The new domains are closer aligned with NIST:
The CMMC model measures the implementation of cybersecurity requirements at three levels. In addition to the assessment requirements discussed above, each level consists of a set of CMMC practices:
Similar to the original CMMC 1.0, any organization with government contracts must comply with CMMC 2.0 once the rulemaking process has been completed. If your company has or is in the process of having government contracts, your first action should be to understand the data classification (CUI and FCI) to determine your CCMC level.
Once you’ve determined your organization’s current or prospective DoD contracts, you need to begin evaluating your cybersecurity posture and address any vulnerabilities. A GRC platform can help you gain a deeper understanding of potential issues and identify strengths in the following areas:
With the change in approach to enforcing CMMC for all new contracts after the rulemaking process, CMMC 2.0 alignment needs to be a top priority in the next few quarters. Utilizing a GRC platform to help facilitate these conversations and demonstrate compliance can help accelerate this process. As part of our holistic Controls Management and GRC platform, Risk Cloud, we offer a robust, stand-alone, CMMC Self-Assessment Application that allows your organization to conduct a readiness assessment and identify and manage gaps in your compliance with the framework. You can also conduct and output a Plan of Action & Milestones and carry out remediation before formal assessments to provide a clear picture to your Government counterparts as part of the overall compliance discussion. Request a demo to start preparing today and give your organization a head start.
Let’s dive into what GRC software is and why it’s a must-have going forward.
The excitement is building as we gear up for our third annual user conference: Agility 2022! We’re bringing…
A recession will hit the United States by early 2023. Learn what recession risk means for your business,…
Enjoy a casual discussion between LogicGate’s CEO, Matt Kunkel, and Hyatt’s Associate Vice President of Cybersecurity, Edwin Ng,…
Your board has questions. Now, you have the answers.