CCG’s Artificial Intelligent software, CheckMate, is designed to meet, benefit, greatly simplify, and provide an economical cost reduction in the implementation of CMMC Certification pre-assessment and meet compliance requirements.
CMMC Levels work like a latter, each required to get to the next. Starting from September 2020, DoD contractors will need to be certified at the appropriate CMMC level in order to bid on Request For Proposal (RFPs).
CheckMate is providing direct requirement coverage through level 5:
- Vulnerability Scanning
- Mobile Device Management
- Log Monitoring SIEM
- Code Review
- User access monitoring
- Threat hunting
CheckMate also provides proof of compliance in a Real-Time Continuous Monitoring presentation that is otherwise expected to take 300-600 man-hours for existing networks at Level 3 greatly reducing the cost and simplifying the certification process.
What is CMMC?
CMMC is the U.S. Department of Defense’s new Cybersecurity Maturity Model Certification. It is a requirement that all contractors and suppliers, primes and subs, establish protocols to protect Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and other data, network, and systems of the Defense Industrial Base (DIB) sector. Previously, companies could self-certify compliance with the appropriate Defense Federal Acquisition Regulations (DFARs). Now companies must pass an audit conducted by a certified third-party assessment organization (C3PAO).
No company will find these activities and their associated costs trivial. Many SMBs possess minimal cybersecurity infrastructure or knowledge, which makes even CMMC Level 1 a challenge. Companies that handle CUI who already must meet DFARS clause 252.204-7012 also face a significant cost hurdle, even though CMMC Level 3 incorporates the 110 security controls of NIST 800-171, for two reasons:
- CMMC Level 3 includes twenty additional practices, as well as three new processes.
- DFARS 7012 considers members of the Defense Industrial Base compliant when they self-attest they comply with all of the 110 NIST 800-171 controls, or have POA&Ms for those with which they do not. To reiterate, CMMC eliminates the relief POA&Ms provide, which for many organizations that handle CUI today represents as much as 25 percent of the 110 controls – raising the accreditation cost bar even higher.
Giving you a competitive edge over the competition
Lower cost to reach and meet compliance through CheckMate w/ Phen, as low as $550/month to provide compliance coverage. Also, providing tools to help provide “proof of coverage” with real-time continuous monitoring software (CheckMate) to reduce the yearly reoccurring cost of up to $40,000.
The cost of CMMC compliance
The initial cost of cybersecurity compliance is high. Just writing policies and gathering proof of compliance will take 300-600 hours for existing networks at Level 3. (This is a ballpark estimate from my experience, please comment with your thoughts.) Depending on the complexity of your network, engineering, testing, and applying secure configurations will take much longer. Bringing existing systems up to the required level of security can easily take 1,000 – 2,000 consultant hours.
For example, it could take 100 hours for your Linux administrator to fully secure a single Red Hat database server. Then repeat for your web server, your file server, your directory services, your desktops, your backup solution…
Every time you add a new type of system, you need to review your CMMC requirements against it. For example, even if you secure your database server fully if your file server has a weak password policy, you have a problem.
The Cost of Forgoing CMMC Accreditation
Think about the cost of not pursuing CMMC accreditation today that goes above and beyond DoD contractual requirements and cuts to the core of any business. CMMC is the risk mitigation, and the risk it’s mitigating is yours. Exfiltration of CUI results in a $600 billion annual loss. Who paid to develop the stolen intellectual property (IP), and who bears that loss of current and future revenue from compromised IP? You! Independent of any DoD requirement, why wouldn’t you protect your organization’s IP, and why would you wait for the DoD to tell you that you should?
If that fact isn’t compelling enough, then remember that by the end of 2026, every DoD request for proposal (RFP) will incorporate CMMC. Businesses that do not possess the appropriate level of CMMC accreditation identified in the RFP cannot work on the contract and will miss out on revenue opportunities, even if they lie several levels down the winning bid team’s hierarchy. These same companies may find themselves on the sidelines prior to completion of the CMMC rollout, as primes and other upstream contractors choose to work with partners that have demonstrated a commitment to mitigate cybersecurity risk by proactively investing in CMMC. Can you afford that outcome?
Companies that understand, and take a holistic view of, the true cost of CMMC can plan accordingly, protect their interests, and gain a competitive advantage that will serve them well for years to come.
The CMMC framework consists of five maturity levels – Level 1 through 5 – whose cybersecurity requirements become more advanced as you ascend up the levels. Level 1 or “basic cybersecurity”, is expected to entail a small subset of NIST 800-171-based data controls and other “best practices”. Levels 2 and 3 provide a closer approximation of what is required by NIST SP 800-171 and DFARS 252.204-7012. The mid-levels will encompass all rev 1 controls under 800-171 as well as other practices outside the CUI protection scope. Level 5 of the CMMC calls for the most advanced cybersecurity practices within and beyond the perimeter of CUI protection. Additional controls may include 24/7 SOC, network segmentation, real-time asset tracking, and initial response actions. CCG is here to help you comply with CMMC at every step. Here is a high-level looks at what contractors can expect in order to gain certification in each level:
Level 1 (Basic Cyber Hygiene). 17 practices
- FAR Requirements
- Ad hoc incident response
Level 2 (Intermediate Cyber Hygiene). 72 practices
- Awareness and training
- Risk management
- Security continuity
Level 3 (Good Cyber Hygiene). 130 practices
- Compliance with all NIST SP 800-171 requirements
- Share threat information with key stakeholders
- Multi-factor authentication (MFA)
Level 4 (Proactive Cyber Controls) . 156 practices
- Network segmentation
- Detonation chambers
- Mobile device inclusion
- Use of DLP technologies
- Supply chain risk consideration
- Threat hunting
Level 5 (Advanced/Progressive Cyber Protection). 171 practices
- 24/7 SOC operation
- Device authentication
- Cyber maneuver operations
- Organizational custom protections implementation
- Real-time asset tracking