COMPLIANCE

Complete compliance programs to bring you peace of mind.

We bring unparalleled compliance expertise to our clients. CastleLock compliance services are designed to help you meet your compliance requirements and safeguard your sensitive information. With CastleLock there are no more compliance surprises.

DFARS 252.204-7012

The Defense Federal Acquisition Regulation Supplement (DFARS), is a supplement the Federal Acquisition Regulation (FAR) the Department of Defense uses to provide guidelines for procurement of everything the Department of Defense needs to operate. The DFARS is a list of regulations and clauses with requirements to manage the DoD supply chain. DFARS 252.204-7012 is often called out in reference to being DFARS compliant, but while there is no DFARS compliance certification, there are contractual obligations for organizations accepting this clause in their contract. DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, outlines core requirements for organizations collecting, developing, receiving, transmitting, using, or storing Covered Defense Information (CDI) in service of a contract.

CMMC

The Cybersecurity Maturity Model Certification (CMMC) was released on January 31, 2020 and is expected to be fully implemented by 2025. The CMMC is the new approach the Department of Defense is using to manage cyber risk in the DoD supply chain. A five-level cumulative maturity framework, all DoD Supply Chain members will be required to meet CMMC level 1 at a minimum and CMMC level 3 if they are collecting, developing, receiving, transmitting, using, or storing Covered Unclassified Information (CUI) in service of a contract. Incorporating controls from NIST 800-171, FAR 52, NIST 800-171B, and others.

NIST 800-171

A derivative of NIST SP 800-53, the first release of NIST SP 800-171 was published in December of 2016 to address the minimum requirements for protecting Controlled Unclassified Information in nonfederal systems. 110 controls across 14 control families, this control framework is the core requirement, but not the only requirement, for Safeguarding Covered Defense Information in DFARS clause 252.204-7012. If an organization plans to do business with the Department of Defense and that opportunity contains covered defense information, it is important to understand this control framework. CastleLock consultants have been helping organizations understand and achieve full implementation of all 110 controls since the NIST 800-171 draft publication in 2015.

Cybersecurity Maturity Model Certification (CMMC) Gap Assessment

As a DoD contractor, the thought of your business being disrupted by DFARS 252.204-7012, Safeguarding Controlled Unclassified Information and the upcoming Cybersecurity Maturity Model Certification (CMMC). Process may be overwhelming.

What steps should I take now?

1.Gap Analysis

The first step to identifying risks and exposure of your companies information security program against DFARS 252.204-7012 is to conduct a gap analysis. A gap analysis will identify any deficiencies against the current DFARS Cybersecurity requirements and the upcoming CMMC regulations.

2.Certification

While DFARS allows for self-attestation, CMMC maturity levels will be assessed by an independent certification body. The certification body has yet to be announced, but the capabilities that DoD suppliers will be required to implement for each maturity level have already been announced. Hiring a third party now to conduct neutral evaluation of your controls, policies, and processes ensures your companies information security programs readiness once the certification body has been formed.

3.Timing

The DoD expects to include CMMC certification levels in RFI and RFPs starting in Q3 of 2020. Suppliers should prepare now to strengthen existing obligations under DFARs 252.204-7012 in preparation for CMMC certification.

FISMA

The Federal Information Security Act (FISMA) passed in 2002, forced federal agencies to develop, document and implement an information security program. Using NIST SP 800-53, organizations must document their assessed risk (Low, Moderate, High,) their information system and their remediation plans. Engage CastleLock to provide a FISMA Compliant Security Assessment Plan, System Security Plan with a Plan of Action and Milestones.

FEDRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.This standard approach uses NIST SP 800-53 as the core control framework, and grants authorizations to cloud service providers operating at impact level moderate and high. CastleLock provides FedRAMP readiness assessment consultations and authorization package preparation services.

NIST 800-53

Originally published in 2005, the NIST SP 800-53 publication is nearing its fifth revision. This control framework provides recommended control sets for three different impact levels, low, moderate and high across eighteen different control families and 965 controls. These are the core requirements for Federal Information Security Management Act (FISMA) which are directly applicable to federal organizations. NIST 800-53 is a foundation for other programs such as cloud service providers under a FedRAMP program.

Frequently Asked Questions

What is the (CMMC)?

The Cybersecurity Maturity Model Certification (CMMC) was established to provide a security framework for safeguarding the Department of Defenses's intellectual property, CUI, which includes various different types of data. It addresses supply chain security deficiencies and puts forth foundational levels of security for all the different participants.

How do DoD Contractors Achieve CMMC Level 1?

Level one requirements are known as basic hygiene whereby your systems are protected from external attackers and that your company knows what devices you have , who your users are and that you keep your systems up to date.

How do DoD Contractors Achieve CMMC Level 2?

Level two requirements build on Level 1 and are based around the protection of Controlled Unclassified Information (CUI). It involves companies doing backups of their systems, testing those backups, and making sure that those backups are protected. It also adds multi-factor authentication to the company’s environments.

How do DoD Contractors Achieve CMMC Level 3?

Level 3 involves not only protection of Controlled Unclassified Information (CUI) but also defending against advanced persistent threats (APTs). Your company will be required to have documentation or resources for an information security program. DNS protection and monitoring is a strong component of Level 3.

How do DoD Contractors Achieve CMMC Level 4?

CMMC level 4 requires proactive information security program. It's a more advanced level of maturity. That means the information security program is being measured for effectiveness. It includes the addition of proactive threat hunting, making sure that the supply chain is managed for our organization from a risk-based perspective and that penetration and security testing of our systems and our environment is being done including looking for vulnerabilities and addressing those vulnerabilities within our environment.

How do DoD Contractors Achieve CMMC Level 5?

In addition to building on all the previous levels of the CMMC, the company now has the capability to forensically respond and investigate incidents and events in our environment. Traffic coming in and out of the perimeter of our environment is being recorded and insider threats are being monitored Within the organization, if users that are potentially compromised, that traffic can be identified. This is all monitored through a 24/7 security operation center. A very high level of capabilities required at this level requires a very advanced skillset for information security professionals.