Providing cost affordable CMMC coverage by Software Tool

 

CMMC-AB marketplace listing “Canfield CyberDefense Group” has been approved.

To view this listing,  go to:  https://cmmcab.org/marketplace/canfield-consulting-group/

CCG’s Artificial Intelligent software, CheckMate, is designed to meet, benefit, greatly simplify, and provide an economical cost reduction in the implementation of CMMC Certification pre-assessment and meet compliance requirements.

DoD contractors will need to be certified at the appropriate CMMC level in order to bid on Request For Proposal (RFPs).

Discover the CMMC Level Requirements:

CheckMate is providing direct requirement coverage through level 5:

  • Vulnerability Scanning
  • Mobile Device Management
  • Log Monitoring SIEM
  • Code Review
  • User access monitoring
  • Threat hunting

CheckMate also provides proof of compliance in a Real-Time Continuous Monitoring presentation that is otherwise expected to take 300-600 man-hours for existing networks at Level 2 greatly reducing the cost and simplifying the certification process.

What is CMMC?

CMMC is the U.S. Department of Defense’s new Cybersecurity Maturity Model Certification. It is a requirement that all contractors and suppliers, primes and subs, establish protocols to protect Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and other data, network, and systems of the Defense Industrial Base (DIB) sector. Previously, companies could self-certify compliance with the appropriate Defense Federal Acquisition Regulations (DFARs). Now companies must pass an audit conducted by a certified third-party assessment organization (C3PAO).

No company will find these activities and their associated costs trivial. Many SMBs possess minimal cybersecurity infrastructure or knowledge, which makes even CMMC Level 1 a challenge. Companies that handle CUI who already must meet DFARS clause 252.204-7012 also face a significant cost hurdle, even though CMMC Level 2 incorporates the 110 security controls of NIST 800-171, for two reasons:

  • CMMC Level 2 includes complete NIST 800-171 coverage.  Defined companies will be required to participate in a tri-annual 3rd party audit review.  All other companies requiring level 2, will be required submit self-assessed annual reports and artifacts.
  • DFARS 7012 considers members of the Defense Industrial Base compliant when they self-attest they comply with all of the 110 NIST 800-171 controls, or have POA&Ms for those with which they do not. To reiterate, CMMC eliminates the relief POA&Ms provide, which for many organizations that handle CUI today represents as much as 25 percent of the 110 controls – raising the accreditation cost bar even higher.

Giving you a competitive edge over the competition

Lower cost to reach and meet compliance through CheckMate w/ Phen, as low as $550/month to provide compliance coverage. Also, providing tools to help provide “proof of coverage” with real-time continuous monitoring software (CheckMate) to reduce the yearly reoccurring cost of up to $40,000.

The cost of CMMC compliance

The initial cost of cybersecurity compliance is high. Just writing policies and gathering proof of compliance will take 300-600 hours for existing networks at Level 2.  Depending on the complexity of your network, engineering, testing, and applying secure configurations will take much longer. Bringing existing systems up to the required level of security can easily take 1,000 – 2,000 consultant hours.

For example, it could take 100 hours for your Linux administrator to fully secure a single Red Hat database server. Then repeat for your web server, your file server, your directory services, your desktops, your backup solution…

Every time you add a new type of system, you need to review your CMMC requirements against it. For example, even if you secure your database server fully if your file server has a weak password policy, you have a problem.

The Cost of Forgoing CMMC Accreditation

Think about the cost of not pursuing CMMC accreditation today that goes above and beyond DoD contractual requirements and cuts to the core of any business. CMMC is the risk mitigation, and the risk it’s mitigating is yours. Exfiltration of CUI results in a $600 billion annual loss. Who paid to develop the stolen intellectual property (IP), and who bears that loss of current and future revenue from compromised IP? You! Independent of any DoD requirement, why wouldn’t you protect your organization’s IP, and why would you wait for the DoD to tell you that you should?

If that fact isn’t compelling enough, then remember that by the end of 2026, every DoD request for proposal (RFP) will incorporate CMMC. Businesses that do not possess the appropriate level of CMMC accreditation identified in the RFP cannot work on the contract and will miss out on revenue opportunities, even if they lie several levels down the winning bid team’s hierarchy. These same companies may find themselves on the sidelines prior to completion of the CMMC rollout, as primes and other upstream contractors choose to work with partners that have demonstrated a commitment to mitigate cybersecurity risk by proactively investing in CMMC. Can you afford that outcome?

Companies that understand, and take a holistic view of, the true cost of CMMC can plan accordingly, protect their interests, and gain a competitive advantage that will serve them well for years to come.

CMMC v1.0 to v2.0 changes

In September 2020, the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period.

CMMC Levels

The CMMC framework consists of five maturity levels – Level 1 through 3 –

  • Level 1 (Foundational) only applies to companies that focus on the protection of FCI. It is comparable to the old CMMC Level 1. Level 1 will be based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information, and focus on the protection of FCI. These controls look to protect covered contractor information systems, limit access to authorized users.
  • Level 2 (Advanced) is for companies working with CUI. It is comparable to the old CMMC Level 3.
    CMMC 2.0 Level 2 (Advanced) requirements will mirror NIST SP 800-171 and eliminate all practices and maturity processes that were unique to CMMC will be eliminated. Instead, Level 2 aligns with the 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI. Accordingly, the 20 requirements in the old CMMC Level 3 that the DoD had imposed were dropped, meaning that the new Level 2 (Advanced) is in complete alignment with NIST SP 800-171.
  • Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on DoD’s highest priority programs. It is comparable to the old CMMC Level 5. The DoD is still determining the specific security requirements for the Level 3 (Expert), but has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls.