Do you sell to the U.S. Department of Defense?

A group of people with computers in front of him.

The U.S. Department of Defense (DoD) buys products and services from roughly 300,000 organizations worldwide.  Whether you sell directly to the DoD or partner with a company that does, there is a chance you sell to the DoD.

The DoD realized years ago that the only way it can protect its sensitive information is to ensure the 300,000 companies in its supply chain have some level of cybersecurity.  The DoD has established a standard – the Cyber Maturity Model Certification (CMMC) standard – that will apply to virtually every organization in its entire supply chain.

The requirements in the CMMC are not rocket science – they are good cyber hygiene.  In fact, Level 3 in the CMMC is called exactly that: “Good Cyber Hygiene”.  Level 1 is called “Basic Cyber Hygiene”.  The vast majority of organizations (potentially including yours) only need to be certified at Level 1.  Basic Cyber Hygiene, according to the CMMC, consists of seventeen cybersecurity best practices that every business should be doing.

Are you doing all 17 of the basic practices?

The Basic 17 cybersecurity practices align with the basic information protection requirements in Federal contracts (FAR 52.204-2), even those not issued by the DoD.  If you are doing work for the Federal Government, someone in your organization is almost certainly attesting that you are doing these things.

You should definitely check to be sure you are doing the things you are telling the Government you are doing.

Do you need to do more than the basics?  

If your organization handles Controlled Unclassified Information (CUI) or information with any of the old labeling (‘For Official Use Only’ (FOUO), ‘Sensitive But Unclassified’ (SBU) just to name a couple, you almost certainly need to achieve “Good Cyber Hygiene”.  That comprises 130 practices plus policies and procedures for all 17 practice areas.

If your organization handles “Controlled Technical Information” (CTI), you need to achieve Level 4 (“Proactive”) certification.  That requires 156 practices and even more process controls.

Does it seem like a lot to get your head around?

It is a lot.  Fortunately, while you focus your time and energy on running your business there are those of us who live and breathe cybersecurity and regulatory compliance.  We are here to help you understand what it is you need to do and to help you get it done.  SideChannel is a CMMC Registered Practitioner Organization with CMMC certified Registered Practitioners on staff.  Our virtual CISOs can work with your organization to help you meet the security requirements of your current and future Government engagements.

Michael Waters ~ Principal Consultant at SideChannel