Latest Updates on Cybersecurity Maturity Model Certification to know about

Have you heard about the Justice Department’s new Civil Cyber-Fraud Initiative, which aims to hold contractors responsible for cybersecurity? The Department of Justice is now enforcing cybersecurity adherence with the aid of the False Claims Act, and it is promoting informants to come forth. A new task force will look into contractors deciding to hide breach data or fake adherence score declarations. DCMA is already using DIBCAC audits to enforce DFARS compliance. Furthermore, main contractors have a significant responsibility in ensuring that their suppliers appropriately describe their security programs and disciplining those who do not.

AB and DoD officials provided more explanation and facts on CMMC Consulting 2.0 during the CMMC-AB Town Hall on November 9th. This conversation yielded five critical takeaways:

Audits aren’t going away anytime soon. DCMA DIBCAC audits are continuous, and the DCMA has the authority to undertake an inspection for any reason it sees fit. Third-party C3PAOs will audit critical Level 2 agreements that have priority procurement after CMMC 2.0 is implemented.

A corporate official must sign off on the firm’s self-assessment and ensure that it fulfills the 110 NIST 800-172 checks for non-prioritized Level 2 agreements. The organization is accountable underneath the False Claims Act if the official fraudulently reports agreement, and the Department of Justice can prosecute them.

The highest weighted level 2 controllers will not be able to use POAMs. Companies, for example, will be unable to develop a POAM for AC 3.1.13: “cryptographic procedures to guarantee the secrecy of remote access sessions,” with an SPRS rating of 5. However, a POAM for AC 3.1.8, “limiting failed login attempts,” with an SPRS weight of 1, might be created by an organization. However, if a POAM is established, it must be terminated within 180 days.

Level 2 certification is required for organizations that handle any sort of CUI. That implies businesses must take the necessary actions to safeguard CUI with FIPS 140-2 approved modules. Additionally, if the company uses cloud services, it must confirm that the supplier complies with FedRAMP Moderate Baseline Equivalent and DFARS.

DFARS 7012, which incorporates the 110 measures in NIST 800-171, applies to any entity that presently handles CUI. POAMs pertaining to such controls should be closed out by organizations that aren’t entirely compliant.

CMMC 2.0 strengthens the approach for implementing NIST 800-171.

While CMMC 2.0 works its way through the federal regulatory process, the DoD’s rules to preserve CUI remain in place. Noncompliance brings severe legal and commercial consequences. Without a doubt, organizations that work for the Department of Defense must maintain their compliance programs and improve their NIST 800-171 ratings toward 110.

Vendors won’t have time to respond later when CMMC Compliance 2.0 becomes law or when an inspection is headed their way if they don’t put in place a DFARS compliant cybersecurity program now. When agreements are granted, new laws develop, or audits occur, companies who are equipped and obedient will have a strategic advantage.

The implementation of CMMC 2.0 will take time, but data security will remain a key priority for homeland safety until then. Protecting the DIB’s attack vector and securing data from our country’s adversaries is an ongoing issue that is well worth the effort.