On January 31st, 2020, the Pentagon released version 1.0 of its unified cybersecurity standard that all contractors must meet by 2026.
The standard, called the Cybersecurity Maturity Model Certification (CMMC), will apply to any company of any size that does business with the Department of Defense. CMMC will apply to subcontractors as well as primes.
The Pentagon acknowledged that CMMC will be a complicated rollout and that a five-year timeline was necessary before making it mandatory in all contracts. Over the 5 years the Pentagon intends to gradually increase the scope demanding CMMC compliance for more projects (up to 500 projects requiring CMMC compliance prior to the 5-year timeline).
While questions remain, however, on how smaller companies will be able to meet the standards without undue burden the DOD has stressed that small and medium-sized businesses were a priority in rolling out CMMC.
While the actual standards themselves aren’t brand new — CMMC borrows heavily borrowed from the existing NIST Cybersecurity Framework such as NIST 800-171. CUI discovery and tracking (a key tenant in NIST 800-171 standard) is one of the hardest requirements for an SMB/SME to address (unlike enterprises which typically have resources dedicated to data protection).
Actifile routinely helps its SMB/SME customers self-assess NIST 800-171 by discovering Controlled Unclassified Information and making sure the information is tracked and protected (including using AES256 encryption) and removed upon completion of the projects.
Furthermore, it helps the MSB/SME and their MSPs understand which devices house CUI, helps them consolidate the CUI, and helps redirect cybersecurity to those devices that matter.
So don’t risk getting access to government contracts: Ask your MSP about NIST 800-171 readiness today.