Viqtory Cyber
Viqtory Cyber
  • Home
  • Defense Shield
  • Cyber IQ Services
  • Industries
    • NIST SP 800-171 - CMMC
    • Government
    • Financial Services
    • Healthcare & Life Science
    • Mortgage & Title
  • Free CMMC Consult
  • About Us
  • Insights
  • Contact Us
  • Webinar Recordings
  • More
    • Home
    • Defense Shield
    • Cyber IQ Services
    • Industries
      • NIST SP 800-171 - CMMC
      • Government
      • Financial Services
      • Healthcare & Life Science
      • Mortgage & Title
    • Free CMMC Consult
    • About Us
    • Insights
    • Contact Us
    • Webinar Recordings
  • Sign In
  • Create Account

  • Bookings
  • My Account
  • Signed in as:

  • filler@godaddy.com


  • Bookings
  • My Account
  • Sign out

Signed in as:

filler@godaddy.com

  • Home
  • Defense Shield
  • Cyber IQ Services
  • Industries
  • Free CMMC Consult
  • About Us
  • Insights
  • Contact Us
  • Webinar Recordings

Account


  • Bookings
  • My Account
  • Sign out


  • Sign In
  • Bookings
  • My Account

CMMC Made Simple

DoD Contractors are You Ready for Your CMMC Audit?

Ready for CMMC? No? You might think that delays in the deployment of CMMC for DoD contractors means it isn't coming, but can you be sure? Assessing your NIST SP 800-171 compliance is only part of achieving certification - we provide a 3 to 7 day discovery assessment of your environment that includes a high-level, prioritized gap analysis. We'll also help you build a Plan of Action & Milestones so you'll know what you need before CMMC becomes a reality!

Our Approach

Getting you started on your journey toward CMMC compliance.

  • Determine what level of maturity your organization needs to (or would like to) achieve.
  • Review the CMMC framework to understand the practices and processes your organization would need to comply with for the level of maturity desired.
  • Interview key stakeholders and audit data usage.
  • Conduct a GAP ANALYSIS – work with a third party or with your team to identify technical gaps in existing vs. required practices.
  • Develop a REMEDIATION PLAN to implement practices that are found to be non-existent (or fixes for those determined weak) based on the results of the assessment.
  • Deploy technical solutions where needed.
  • Remediate other process gaps as identified in the preparedness assessment.
  • Identify/select a CMMC Third-Party Assessor Organization (C3PAO) firm for your CMMC audit. 
  • Obtain your desired CMMC level maturity certification based on the audit.

CMMC Basics

Why CMMC?

What's Your Data Type?

What's Your Data Type?

In 2015, the Department of Defense (DoD) published the Defense Federal Acquisition Regulation Supplement (DFARS) to push private contractors to maintain cybersecurity standards according to the requirements the National Institute of Standards and Technology (NIST) outlined in NIST SP 800-171.


Created to ensure the protection of Confidential Unclassified Information (CUI), the standards outlined in DFARS and NIST 800-171 gave DoD contractors until December 31, 2017 to meet the requirements necessary to be compliant or risk losing DoD contracts. 


To be classified as compliant, contractors merely had to attest to meeting the requirements or being in the process of satisfying them.

As a result, U.S. adversaries have been able to develop military equipment based on stolen data. For instance, the Chinese J-20 and J-31 stealth fighter jets suspiciously resemble the American F-35. According to the Pentagon, China may have accessed the F-35 design after an information breach in 2009.

What's Your Data Type?

What's Your Data Type?

What's Your Data Type?

The Cybersecurity Maturity Model Certification (CMMC) is a new certification model designed to verify that DoD contractors have sufficient controls to safeguard sensitive data, including Federal Contract Information (FCI) and Confidential Unclassified Information (CUI) .

  • Federal Contract Information (FCI): FCI is information provided by or generated for the Government under contract not intended for public release.
  • Controlled Unclassified Information (CUI): is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.

The CMMC model uses the basic safeguarding requirements for FCI as the Federal Acquisition Regulation (FAR) Clause 52.204-21 and the security requirements for CUI as specified in NIST 800-171 / DFARS.

CUI Examples

What's Your Data Type?

CUI Examples

Examples of CUI: 

  • Research and engineering data
  • Engineering drawings and associated lists’
  • Specifications
  • Standards
  • Process sheets
  • Manuals
  • Source code
  • Technical reports
  • Technical orders
  • Catalog-item identifications
  • Data sets
  • Studies and analyses and related information
  • Computer software executable code




CMMC Levels

The Cost of Ignoring CMMC Certification

CUI Examples

The CMMC acknowledges that not all information shares the same levels of sensitivity, and not all contact participants have the same clearance levels. Because of this, the Cybersecurity Maturity Model Certification measures processes and practices across five maturity levels.


The achievement of higher CMMC levels enhances the ability of an organization to protect CUI. For Levels 4-5, it also reduces the risk of advanced persistent threats (APTs), which are often executed via multiple incursions, including cyber, physical, and deception.


There will be five cumulative Certification levels to the CMMC:


Level 1 – Basic Cyber Hygiene: Includes basic cybersecurity appropriate for small companies utilizing a subset of universally accepted common practices. The processes at this level would include some performed practices, at least in an ad hoc manner. This level has 17 security practices that must be successfully implemented.

Level 2 – Intermediate Cyber Hygiene: Includes universally accepted cybersecurity best practices. Practices at this level would be documented, and access to CUI data will require multi-factor authentication. This level includes an additional 55 security practices beyond that of Level 1.

Level 3 – Good Cyber Hygiene: Includes coverage of all NIST SP 800-171 Rev. 1 controls and additional practices beyond the scope of current CUI protection. Processes at this level are maintained and followed, and there is a comprehensive knowledge of cyber assets. This level requires an additional 58 security practices beyond those covered in Levels 1 and 2.

Level 4 – Proactive: Includes advanced and sophisticated cybersecurity practices. The processes at this level are periodically reviewed, properly resourced, and are improved regularly across the enterprise. In addition, the defensive responses operate at machine speed and there is a comprehensive knowledge of all cyber assets. This level has an additional 26 security practices beyond the first three levels.

Level 5 – Advanced / Progressive: Includes highly advanced cybersecurity practices. The processes involved at this level include continuous improvement across the enterprise and defensive responses performed at machine speed. This level requires an additional 15 controls security practices beyond the first four levels.



CMMC Timelines

The Cost of Ignoring CMMC Certification

The Cost of Ignoring CMMC Certification





A landmark effort by the Department of Defense to shore up cybersecurity across its 300,000+ contractor base has managed to stay mostly on schedule despite the coronavirus pandemic.


  • DoD is issuing an interim rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DoD Assessment Methodology and Cybersecurity Maturity Model Certification framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. EFFECTIVE Nov 30, 2020.
  • A DoD supplier or contractor should plan for at least a 6-month preparation and certification period.
  • The first contract awards to certified suppliers or contractors are expected to take place in the first quarter of 2021.
  • The CMMC certification is valid for a 3-year period.



The Cost of Ignoring CMMC Certification

The Cost of Ignoring CMMC Certification

The Cost of Ignoring CMMC Certification

Currently, non-compliance can result in criminal and civil litigation, along with fines and other penalties being levied against the business. If CUI is breached and the contractor is found to be out-of-compliance, it can result in the termination of the contract and the company is restricted from bidding on additional projects.

Some of the other penalties that businesses could face include,

  • Loss of federal funding. Depending on the business this can be a small amount or the majority of the company’s income.
  • Depending on the severity of the cybersecurity breach, a company could face government hearings.
  •  A company’s reputation can be damaged, sometimes beyond repair, when news of the cyber breach is made public.
  • Restricted from future government contracts.

Viqtory Cyber Overview

IQ CMMC Services (pdf)

Download

Copyright © 2021 Viqtory Cyber - All Rights Reserved.