fbpx

Government Contractors

Prepare for Cybersecurity Certification
Security ThreatsCCMC Certification Process

Changes are coming for the government supply chain. The Department of Defense is making a push to enhance its cybersecurity by certifying and strengthening the cyber-hygiene and capabilities of small businesses that are several steps removed from the Pentagon in the contracting process.


If you are a Government Contractor that works with Controlled Unclassified Information (CUI), then it’s time to find a trusted partner that has the expert knowledge to walk you through the upcoming certification changes.

Previously, only direct contractors were required to comply with NIST standards. Typically, those contractors work with several subcontractors to complete the project requirements. That is where the new certification and requirements are focused.

“This problem is not necessarily a tier-one supply level,” said Dana Deasy, CIO for the Department of Defense. “It’s down when you get to the tier-three and the tier-four” subcontractors.

Therefore, it’s vital that all contractors and sub-contractors work with a reliable partner that will help those organizations understand what is necessary and build their cyber defenses. Be aware that while this is currently a Department of Defense-related project, many other departments tend to follow the DoD’s lead.

Do you have Covered Defense Information (CDI) or Controlled Unclassified Information (CUI) in your Environment? 

The answer is more than likely YES. Consider the following examples of CUI data that must be protected under DFARS. 

  1. Information Systems Vulnerability Information.
  2. Support of Administrative or Human Resources functions with Personally Identifiable Information (PII).
  3. Technical information including research and engineering data, drawings, and more.

Most government contractors we have worked with absolutely have CUI/CDI/CTI data in their infrastructure if they were working with the DoD and had the DFARS 7012 clause in one of their contracts.  

Cyber Security Threats for Government

The U.S. Government likely holds the largest repository of data in the world. Such data are often stored on or flow through contractor systems, which increasingly are tied to Government information technology (IT) networks.

Highly-Classified National Security Secrets

Critical Infrastructure Information

i

National Intellectual Property

Personal Information of Private Citizens

Cybersecurity Capability Model Certification (CCMC) Process

Many external vendors today work with the federal government to help carry out a wide range of business functions. Because of all the sensitive information transferred from the government to these vendors, the government is cracking down on the compliance and security regulations for these vendors – and any companies that work with those vendors or service providers.

Government contractors may soon be required to have a formal cybersecurity certification as early as 2020. The certification, known as the Cybersecurity Capability Model Certification (CCMC) Standards, will allow the government to streamline the procurement process with a standard certification required for contractors with exact cybersecurity requirements.

If CDI is present in a Department of Defense (DoD) contract, CCMC will be required. Government contracts will adhere to a tiered, five-level cybersecurity maturity model ranging from basic cybersecurity controls to a specialized needs for an institutionalized cybersecurity process.

The CCMC requirement will allow a go/no go evaluation process for federal contracts. These tiers are minimum benchmarks that must be met by contractors prior to bidding on projects.

=

Step 1: Assess

=

Step 2: Adjust

=

Step 3: Analyze

=

Step 4: Monitor

Your Guide through the CCMC Certification Process

To ensure success with the upcoming changes, you need an organization that will guide you through the preparation for the compliance audit process. Through this process, you will understand any gaps your organization may have in your compliance requirements.

Cybriant’s experienced team employs a complete four-step cybersecurity program. We will help you measure your current situation and personalize a plan specifically for your internal capabilities, budget and time sensitivity. Here’s how it works:

  1. Assess – the professional assessment of your company’s practices related to the new standard. If necessary, a gap analysis will be completed to document the scope to be remediated.
  2. Adjust– supports all necessary fixes to ensure compliance. This may include updates to firewalls, patches, policy development, employee training, physical security, network configuration, etc.
  3. Analyze and Validate – verifies that all technology and physical security aspects are working properly. A penetration test may be necessary.
  4. Monitoring/Reporting – establishes ongoing monitoring and scanning of the required enterprise network. Creates a working process to log, remediate and report (as required) cyberattacks.