Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Trustwave Blog

New Year, Same CMMC: What Your Organization Needs to Know Now

With the start of a new year, organizations hoping to do business with the U.S. Department of Defense (DoD) need to be more aware than ever of Cybersecurity Maturity Model Certification (CMMC) requirements.

If you’re new to the world of CMMC, this blog post offers a comprehensive overview of what the standard is, what it’s intended to do, and why it’s so important. For organizations that are already versed on the basics of CMMC compliance and are working toward achieving the appropriate maturity level, the interview below with Darren Van Booven, Lead Principal Consultant at Trustwave, CMMC Registered Practitioner, and former CISO of the U.S. House of Representatives, can help you assess your CMMC readiness for 2021.

Q:    What is the current state of the CMMC framework? What should organizations be doing to be eligible for contracts?

Darren:    The official first version of the CMMC framework was released in early 2020. However, to formally implement CMMC within DoD’s procurement system, there needed to be an update to the Defense Federal Acquisition Regulation Supplement (DFARS). That DFARS update has now happened, and the interim final rule went into effect on November 30th. With the DFARS update the DoD supply chain and CMMC Marketplace are waiting on two things. The first is the introduction of CMMC requirements inside procurement solicitations. Right now, the DoD is able to start doing that. In a December 15, 2020 news release, the DoD announced the CMMC pilot contracts on a select group of new acquisition opportunities within the U.S. Navy, U.S. Air Force, and Missile Defense Agency. Because CMMC is being phased in over a period of 5 years, not every DoD contract will contain CMMC requirements at first.

The second step, which is what the DoD is anticipating, is for the CMMC Accreditation Body to certify enough third-party assessors who can perform the actual certification reviews to the point of meeting the demand. Right now, DOD is doing provisional assessments, which do not result in real certification. Official CMMC assessments resulting in certifications will begin in the coming weeks and months.

But that process is in place – and the CMMC Accreditation Body has said that the organizations that will get priority when it comes to achieving their certifications will be those who need to respond to the initial RFPs. That’s important – there are about 300,000 members of the defense supply chain and everyone can’t be certified at once.

Q:    What advice and guidance are you offering to your clients?

Darren:    The questions I get the most are from organizations who know what CMMC is, but don’t necessarily know how it will affect them, and what they should be doing now. So, the guidance I would offer is threefold:  

  1. You need to know what level you should go after. The way you do that is to understand what kind of information you are storing or generating as part of your contract, whether it’s Federal contract information or controlled unclassified information. That is what drives the level of certification you’ll need. If your organization doesn’t know the answer to that question, work with your contracting officer to understand it.

  2. Once you understand what kind of data you have, you need to understand who touches that data. What contractors and subcontractors have access to it? The reason to do that is that it will help you establish your certification boundaries. Organizations might be doing a lot of federal business, but not a lot of DoD business, and it will be more beneficial for them to limit their CMMC certifications appropriately.  

  3. Finally, it’s a matter of what you can prove. Your assessors will ask for evidence proving that you are following the proper practices. Evidence can include in-person interviews, documentation, or testing. You will need evidence from at least two out of the three types, and your assessor has to get that information from people who are actually doing the work. So, organizations need to be ready to for that and it will be extremely time-consuming and unfamiliar for many.

These are all things that organizations should be doing now – so they’re not rushed later on.

Q.    How can Trustwave help?

Darren:    One of our strengths, as a full-service security company, is that we can help you make implementing CMMC compliance easier. You’ll need to do your planning and assessment by looking at your practices and finding your gaps. You’ll need to identify and find your data, so you can properly protect it. You’ll need to remediate gaps like missing policies, monitoring controls that might not be in place, managed testing services, and more. Trustwave can help with the entire process.



17464_cmmc_cover
DATA SHEET

Cybersecurity Maturity Model Certification (CMMC)

Department of Defense (DoD) requires proof of CMMC compliance to ensure protection of controlled unclassified information (CUI) from nation-state and nefarious actors, while keeping the supply chain running safely. Is your Cybersecurity maturity plan at the desired level to participate in the US government contract bidding process?

As breaches continue to be more commonplace, data infractions have continued to grow as well. In addition, threats to critical government assets also continue to increase in frequency and stealthiness. It is, therefore, paramount that agency visibility, control and cybersecurity plans continue to expand to face these threats by protecting national security and uninterrupted production. Fortunately, the DoD and other critical government groups have begun mandating cybersecurity capabilities for all vendors in their supply chain to meet NIST 800.171, NIST 800.53 and CMMC today.

 

Latest Trustwave Blogs

Comparably Honors Trustwave with Leadership and Career Growth Awards

Comparably, the leading workplace culture and compensation monitoring employee review platform has recognized Trustwave with two major awards: 2024 Best Companies for Career Growth and 2024 Best...

Read More

Why Removing Phishing Emails from Inboxes is Crucial for Healthcare Security

The adage "data is the new oil" doesn't resonate with everyone. Personally, having grown up around cars thanks to my dad, a master mechanic, I see oil as messy and cumbersome. Data, in my view, is...

Read More

How Deepfakes May Impact Upcoming Elections Worldwide

The common fear regarding election interference is that a threat actor will gain access to either ballot machines or the networks that tally votes. However, there is a much easier method a person...

Read More