Cybersecurity Maturity Model Certification (CMMC) is used by the United States Department of Defense (DoD) to ensure that all contractors adequately protect sensitive information. CMMC is standardized and mandates uniform cybersecurity requirements and practices for any company that wishes to bid for defense industrial base contracts.
The latest CMMC 2.0 model has three levels (replacing the five-tier system in CMMC 1.02). Announced on July 17, 2021, the three CMMC levels are Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). CMMC assessment requirements vary based on the level of certification needed.
To achieve CMMC status, contractors and subcontractors will be subject to external third-party audits. The days of self-certification and attesting by DoD contractors under the former NIST compliance framework have come to an end.
CMMC: Key Points for Companies
All contractors bidding for defense industrial base contracts will first need to demonstrate CMMC compliance.
The entry point for the majority of DIB contracts that have CUI will be CMMC Level 2 compliance.
It is the responsibility of individual companies to meet CMMC compliance and they must meet the financial costs of achieving compliance.
CMMC compliance approval may be subject to third party external audits.
Why is CMMC so Important?
Safeguarding CUI and FCI CMMC
Foreign hostile actors are working continually to compromise national security. Their goal may be to steal advanced technologies or to gain insights into the military capabilities of the United States and its allies. Legitimate private companies, working as DIB contractors, have previously been a soft target for hostile actors using a range of cyber-attack methods.
CMMC is designed to eliminate weaknesses and vulnerabilities and protect controlled unclassified information (CUI). It provides a (verifiable) shield against industrial and military espionage and sabotage. CMMC accredited companies that can guarantee the security of DOD CUI are free to focus on bidding for new DoD contracts and fulfilling their existing contracts. Level 2 CMMC compliance is a passport to the lucrative world of the defense industrial base supply chain.
Federal contract information specifies the CMMC requirements for specific projects. FCI CMMC requirements are straightforward and the minimum compliance standards for each level of CMMC accreditation are published by the US Government.
Actifile Software - Your First Step to CMMC Compliance
Actifile software is revolutionizing how companies and MSPs manage sensitive data. Actifile uses an automated audit to discover and map data across your entire IT ecosystem. Users receive a US dollar valuation of potential data loss penalties and can encrypt data (FIPS encryption values) across any server, workstation or laptop with a single click.
Actifile can assist with preparing for compliance initiatives such as Cybersecurity Maturity Model Certification (CMMC) v2. The software provides necessary evidence for DoD CMMC accreditation and the indelible Actifile log prepares companies for any external audits.
Actifile can help companies (and their RP/RPO) that are responsible for safeguarding CUI. Users can search for and map data such as DoD CUI, FCI and FOUO, and establish precisely how much sensitive data they store. Actifile can also help identify ITAR and EAR regulated data.
We have prepared a detailed mapping of CMMC v2 controls to help companies (and their RP/RPO) understand how Actifile can help with FCI CMMC and other compliance requirements. Please note that in some cases Actifile can provide either full or partial coverage of the control, depending on the scenario.
Mapping of Actifile Capabilities to FCI CMMC Controls
CMMC 2.0 | CMMC 1.02 | NIST 800-171 | Control Description | Actifile |
LEVEL 2 | | | | |
SC.L2-3.13.16 | SC.3.191 | 3.13.16 | Safeguarding CUI at rest. | Actifile helps find CUI and encrypt the data to FIPS encryption levels. DOD CUI data is kept completely confidential. |
SC.L2-3.13.11 | SC.3.177 | 3.13.11 | Employ FIPS-validated cryptography to protect the confidentiality | Actifile can be set to use FIPS-140-2 validated encryption when encrypting DOD CUI data. |
MP.L2-3.8.6 | MP.3.125 | 3.8.6 | Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport ( unless otherwise protected by alternative physical safeguards). | Actifile uses file-based encryption for encrypting DOD CUI wherever it is stored. FIPS encryption guarantees the safeguarding of CUI data stored on digital media used for transport. |
MP.L2-3.8.8 | MP.3.123 | 3.8.8 | Prohibit the use of portable storage devices when such devices have no identifiable owner. | Actifile can prevent the copying of data such as CUI to portable storage. Actifile cannot limit this ability to unknown users. |
AC.L2-3.1.13 | AC.3.014 | 3.1.13 | Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. | Actifile uses file-based FIPS encryption to encrypt data wherever it is stored or transferred. Confidentiality is automatically protected across remote access sessions. |
AC.L2-3.1.19 | AC.3.022 | 3.1.19 | Encrypt CUI on mobile devices and mobile computing platforms. | Actifile uses file-based FIPS encryption to encrypt CUI registry data wherever it is stored. CUI data remains secure when stored on mobile devices. N.B. Actifile cannot currently decrypt files on mobile devices. |
SC.L2-3.13.8 | SC.3.185 | 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of Controlled Unclassified Information (CUI) during transmission, unless otherwise protected by alternative physical safeguards. | Actifile uses file-based encryption when encrypting CUI across all storage locations. Sensitive data remains secure when stored on digital media used for transmission. |
MP.L2-3.8.9 | RE.2.138 | 3.8.9 | Protect the confidentiality of backup CUI at storage locations. | Actifile uses file-based encryption to encrypt CUI wherever it is stored. CUI data remains secure when stored on digital media used for backup. |
AU.L2-3.3.2 | AU.2.041 | 3.3.2 | Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. | Actifile indelibly logs each use of data (including CUI registry data) to the individual user. Actifile guarantees full individual accountability. |
AC.L2-3.1.3 | AC.2.016 | 3.1.3 | Control the flow of CUI in accordance with approved authorizations. | Actifile includes simple DLP controls that can prevent unauthorized data flow. |
AC.L2-3.1.21 | AC.2.006 | 3.1.21 | Limit use of portable storage devices on external systems. | Actifile can prevent copying of data such as CUI to portable storage. |
LEVEL 1 | | | | |
AC.L1-3.1.20 | AC.1.003 | 3.1.20 | Verify and control/limit connections to and use of external information systems. | |
Deprecated from CMMC 1.02 to 2.0 | SI.5.223 | 3.14.2e | Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior. | |
Deprecated from CMMC 1.02 to 2.0 | AC.4.023 | 3.1.3e | Control information flows between security domains on connected systems. | |
Deprecated from CMMC 1.02 to 2.0 | SC.3.193 | NA | Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter) | |
Deprecated from CMMC 1.02 to 2.0 | AM.3.036 | NA | Define procedures for the handling of CUI data. (Use Actifile as part of the procedure to identify when CUI is introduced into the network and track it through its lifecycle to its destruction) | |
The Importance of Safeguarding CUI
The compliance landscape has altered fundamentally in the last few years. Any company that wants to enter the profitable defense industrial base supply chain has to demonstrate CMMC compliance - usually at Level 3 or above. The CMMC compliance framework shows all the signs of becoming an effective cybersecurity benchmark. It may well extend to all Federal Government - and even many State Government - contracts over the next decade.
Even in the private sector, cybersecurity and the safeguarding of sensitive data is a major concern for all businesses. The financial consequences of data breaches are frequently devastating. A crippling combination of regulatory penalties, civil liabilities and lost business often breaks smaller companies. Maintaining an obsolete DLP project to protect sensitive data is expensive, time-consuming - and frequently ineffective.
Actifle delivers a comprehensive, cost-effective and fully automated data protection solution. The software puts IT managers firmly in control of their sensitive data and CUI registry. Actifile’s FIPS encryption eliminates the problem of how to store CUI and creates a working foundation for future FCI CMMC compatibility.
3 Key Advantages of Actifile Software
Over 1,000 companies are now benefiting directly from groundbreaking Actifile software.
Actifile is entirely user-friendly. Any IT manager can quickly master the software without specialist training.
Actifile is completely business-friendly. data encryption tool eliminates the need for users and passwords and there is no disruption to workflows or employees.
Actifile users can streamline their IT operations and redirect wasted DLP resources into building their business.
You may also be interested in:
How to Protect CUI in just 48 Hours
Next generation Actifile software is an outstanding tool for both for CUI classification and for safeguarding CUI. Whatever your current business model or specialist field, the chances are that your IT ecosystem contains unprotected sensitive data. Schedule a FREE risk assessment meeting with Actifile today. A free automated audit will locate and map sensitive data in less than 48 hours, and we will advise on how to protect and how to store CUI securely with invisible encryption.
Try the Free Actifile risk assessment