February 28, 2022
KLC Consulting keeps you up-to-date with what’s happening on the front lines of CMMC and NIST 800-171 in our role as a CMMC-AB cleared candidate C3PAO.
CISA Issues “Shields-Up Alert”
CISA (Cybersecurity & Infrastructure Security Agency) issued a Shields-Up cybersecurity alert to all Defense Industrial Base (DIB) companies in response to increasing cyber threats from Russia following Russia’s unprovoked attack on Ukraine. DIB companies should take action to enhance their cybersecurity, create a solid data backup, and make sure the business can recover if it suffers a cyber attack.
DoD CIO Office Town Hall on Feb. 24, 2022
The office of the DoD CIO held a Town Hall meeting this day to discuss current events in CMMC:
Relocation of the CMMC Program Management
DoD CIO John Sherman [previously] announced on February 3rd that his department would assume responsibility for the Cybersecurity Maturity Model Certification (CMMC) Program Office. The move enables the DoD CIO to have a more direct influence on the direction of the CMMC program and increase the program’s integration with other Defense Industrial Base Cybersecurity programs.
CMMC 2.0 Level 2 self-assessments “Most Likely” will be eliminated
During today’s Townhall, members of the DoD CIO office restated a February 10th revelation that all DIB organizations needing CMMC Level 2 will “most likely” require third-party C3PAO Assessment. Elimination affects about 80,000 DIB companies that require CMMC Level 2.
DoD looks to create incentives for early CMMC certification
The DoD is looking at ways to incentivize DIB companies to obtain CMMC certifications before the CMMC rule making completion date (expected to take up to 24 months). Options under consideration include an extension of the 3-year recertification period from the date the Rule making process is complete – which would create a significant cost-saving measure for DIBs.
DoD CIO recommendations for DIB companies
DoD CIO recommendations include adopting the following “Top 10” practices to improve DIB cybersecurity posture:
Viewpoints From Kyle Lai
President and CISO
KLC Consulting, Inc.
CISSP, CSSLP, CISA, CDPSE, CIPP/US, CIPP/G, ISO 27001 Lead Auditor
POINT #1 — The Balancing Act within DoD Information Security
The change in thinking to eliminate Level 2 self-assessments for DIBs who handle “non-prioritized” CUI category is a recognition of the constant balancing act between goals and practical realities:
- First and foremost, the CMMC 2.0 program holds the commitment to safeguard sensitive national security information while streamlining the process and improving affordability for DIB Companies,
- Eliminating CMMC Level 2 self-assessments (should that become final) reaffirms the inadequacy of the self-attestation model that compelled the creation of the CMMC standard, and
- CMMC 2.0 enables more development time for the nascent CMMC ecosystem
POINT #2 — Perform a Gap Assessment
Another recommendation from the DoD CIO’s office is to undertake a Gap Assessment to determine where compliance gaps exist in DIB company compliance programs.
TIP — FREE Resources from CISA
CISA provides some terrific FREE resources to help small to medium size companies improve their cybersecurity posture. Check out their Cyber Resource Hub for more information.
Where are you in your CMMC / NIST 800-171 program?
We offer you a complimentary, no-cost initial consultation to shed light on your compliance challenges.
KLC Consulting specializes in FLEXIBLE consulting and AFFORDABLE NIST 800-171, and CMMC solutions for: