This past week, I was a panelist in a roundtable discussion on the topic of CMMC. It appeared based on some of the questions from the audience that this topic has been swept under the rug after an implementation delay that was announced in November 2021. After an extended period of "on again, off again", Department of Defense contractors should once again prepare for the rollout of CMMC 2.0 starting this May when the "Proposed Rule" of Level 1 and 2 compliance is expected to make its way into solicitations. DFARS 7012 has been around since 2016, but in order to become certified, a contractor must have a Level 2 assessment performed by undergoing a third-party audit instead of merely by self-assessment which still pertains to the basic controls and practices set forth in Level 1. The CMMC requirement is expected to have a phased roll-out, meaning it will not be included in all contracts, but it will be included in select contracts over a ramp-up period of six to twelve months. There are 110 controls to become familiar with, and the majority are contained in your internal written policies and procedures detailing how you protect Controlled Unclassified Information (CUI) within your organization.
A question that I was asked during the aforementioned panel discussion was, "As a software company that provides hosting of applications, are there things that you can do to help contractors who subscribe to your products and services meet certain controls?" Fortunately, the answer is yes, and there are at least a dozen controls and practices that we can assist our users in meeting the requirements for certification. These require cooperation and collaboration by both parties, and include but are not necessarily limited to:
Level 1 Practices/Controls
- Update malicious code protection mechanisms when new releases are available.
- Disable the user accounts of employees when they leave the company
Level 2 Practices/Controls
- Limit Unsuccessful Logon Attempts
- Terminate (Automatically) a User Session after a Defined Condition
- Remote Access Confidentiality: Employ cryptographic mechanisms for remote access sessions.
- Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.
- Authoritative Time Source: Provide a system capability to generate time stamps for audit records.
- Protect audit information and audit logging tools from unauthorized modification and deletion.
- Multifactor Authentication: Use multifactor authentication for local and network access to privileged accounts
- Temporary Passwords: Allow temporary password use for system logins with an immediate change to a permanent password.
- Scan for vulnerabilities in organizational systems and applications periodically
- Vulnerability Remediation: Remediate vulnerabilities in accordance with risk assessments.
Beyond the above controls that we can proactively provide to help with your certification, there are also the all-important CMMC domains of Physical Security and Personnel Security. To meet these requirements, we provide secure hosting for our products in the Microsoft Azure Cloud within one of their world-class data centers located in the United States.
So, if you were among those individuals who thought that CMMC was placed indefinitely on the back burner after some fits and starts, it is going to be codified in contracts not only issued by the Department of Defense but other agencies as well here in 2023. Even if this weren't soon to become a reality, good cyber hygiene is something to be invested in with time and money well spent instituting and documenting the many practices and controls. There is no time like the present to become prepared, and we'll be ready to work with you when called upon doing what we can to assist as your trusted Software-as-a-Service provider.