By Zac Amos, Features Editor, ReHack
Cybersecurity Maturity Model Certification (CMMC) is another compliance framework that Defense Industrial Base (DIB) contractors can add to their toolkit to work for the Department of Defense (DoD).
Government contractors need to seek out the latest version of this framework to stay secure as new work habits and conditions expand beyond traditionally safe bounds. How will CMMC handle the mobile work revolution for safety, especially in critical government jobs?
What is CMMC and how are contractors compliant?
CMMC, formerly known as Defense Federal Acquisition Regulation Supplement (DFARS), is a comprehensive cybersecurity framework to ensure defense contractors’ skills, knowledge, and credibility. Companies and individuals bidding on government contracts must remain relevant in the highly competitive cyber environment. Many people wonder if there is room for contractors to work remotely. However, there are additional rules.
Third-party assessors and self-assessments analyze familiarity with government protocols and cybersecurity know-how. How can these entities protect government data such as Controlled Unclassified Information (CUI) or Federal Contact Information (FCI)? If threat actors break through your defenses, do you know how to operate with high-risk and priceless data?
Compliance requires: Explore three levels of qualification, receive interim assessments and third-party audits, and draft action plans and milestones. There’s a lot to unravel before you get your stamp of approval, but it allows contractors to earn their trust and prove their commitment to digital protection.
How does CMMC affect remote work?
Previously, government contractors were in a controlled environment with company-sponsored cybersecurity infrastructure. The increase in remote working expands the attack surface area incomprehensibly, so CMMC has created guidelines for adapting to this lifestyle by: look at cloud computing Quality assurance on the go. However, much remote work compliance surrounds various aspects of remote access.
Contractors should practice monitoring remote access points and connections. Remote access is a streamlined way to access a protected system from a secure location, but the connection must be encrypted and secured. Networks that allow access should install additional verification measures, such as intrusion detection and encryption, and maintain detailed reports to prove to auditors that privileges have been minimized and recorded. Help prevent cyberattacks against remote environments.
In addition to managing remote access, companies need to evaluate permissions. What can administrators do and how much control do they have with remote sessions? Can these tasks (maintenance or operations) be performed on or off the network, or do they require connectivity?
The various work-from-home measures are dependent on the assigned CMMC level, so not all precautions are necessary if the contractor does not plan to progress to level 3. Specific controls for accessing the CUI Remote contractors should be particularly aware of the following:
- 1.12
- 1.13
- 1.14
- 10.6
- 13.7
- 5.3
For example, two-factor authentication is not required at all levels, but 57% of organizations use These verification tools will be available in 2019. The effect is sound, so why not incorporate it into your remote work procedures?
How can companies comply with the remote policy?
One of the best ways to achieve regulatory compliance is to incorporate security tools. Here’s a strong start for equipping remote contractors.
- Multi-factor authentication (MFA) software
- Hardware-based Virtual Private Network (VPN)
- Tokenization
- External device connection indicator, such as a microphone
Advanced actions can further restrict access by collecting data on contractor activity. Companies can set up alerts when irregular access locations occur or contractors log in at irregular times. You can also monitor for access attempts by devices not authorized by your company.
Contractors can also refer to NIST 800-171 to enforce remote compliance. It is the backbone of CMMC, and any cybersecurity framework, local or remote, can benefit from reviewing what CMMC has to offer.
Another, less formal way to get workers to achieve CMMC compliance for remote desks is to insist on professional behavior. Working from home has perks like a looser dress code, but it’s a mindset shift It should not compromise discreetness and security.. Companies that hire contractors can set clear expectations about how to stay productive and aware, even while working in less-than-traditional environments.
Extend compliance beyond the office door
CMMC is preparing contractors for the next phase of the remote work revolution. The space through which threat actors can infiltrate sensitive areas has increased to potentially any geographic point on the planet. Compliance is the touchstone for enhancing a secure digital workplace.
The resources for building a safe space for government data are here, and the digital tools and assets it protects improve every day. CMMC’s revision demonstrates its willingness to adapt to new working environments and global changes, so contractors should keep up to date with updates at all costs.
About the author
Zac Amos is ReHack’s Feature Editor, covering the cybersecurity and technology industries. Follow him for more of his content. Twitter or LinkedIn.