The U.S. Department of Defense (DoD) is rolling out the Cybersecurity Maturity Model Certification (CMMC) on July 1, 2020, which is a new verification/certification mechanism to ensure that controls and processes are appropriately implemented to protect sensitive DoD information. This certification process signals an aggressive move to enhance the security of the Defense Industrial Base (DIB) by ensuring all contractors meet the minimum security requirements. With the growing risks of cyber security threats, this process can flow down security requirements with higher certainty to non-Tier-1 providers which should improve the overall security posture of the DIB. The CMMC is certainly a win for cyber security, a win for national security, and at C2 Labs we applaud the DoD vision to push aggressively towards a more secure supplier base.
However, not everyone is on board. Like any big change, there will be pockets of resistance who question the need for change, the speed in which the change is implemented, and the perceived benefits. Industry associations are already pushing back on the "aggressive" timeline, there are worries about costs to implement, and there is Fear, Uncertainty, and Doubt (FUD) everywhere about what this means for existing contracts. While there are legitimate questions and concerns, DoD is directionally correct meaning that they have to do something to respond to the growing cyber security threats. Like anything, processes must evolve and improve over time to react to changing conditions. The reality is that the cyber game has changed; and as Jadakiss would say - this game has levels...
For C2 Labs, it seemed to us that the trick is to improve security without exploding costs thereby creating a win/win scenario between DoD and industry. There are some inevitable problems we envision when small businesses see the CMMC requirements:
- They don't have the in-house expertise to create a cyber security plan and attest to the implementation of the controls
- They lack tools to track progress, collect evidence, and conduct internal audits/assessments over time
- They likely lack initial budgets and funding to support buying these tools and outside consultants due to the aggressive timelines and the fact that many of these companies are quite small and lack the requisite resources
- It is a bit of an unknown how high the auditing bar will be which exacerbates the lack of expertise problem
The result is that many small businesses won't know what to do, how to do it, or be able to afford to do it even if they did. However, complaining about problems doesn't make anything better. Instead, we set out to do our part to try and provide some solutions.
I will start off by saying that this is all new to everyone, we don't have all the answers, and we don't have a magic bullet to fix all the problems. However, we 100% support any initiative that drives a quantifiable improvement in cyber security which the CMMC undoubtedly will do. With that in mind, we have developed a CMMC compliance platform, currently in private BETA, that we are offering for free to assist the community in preparing for their certification. It is our hope that this tool makes the process a little bit better for the businesses that are struggling through it today. While the CMMC train is barreling down the tracks in a hurry, so are we as we continue to add new features to this platform to support the DoD's efforts (screenshot below):
Following are some key features we've developed to assist with the CMMC certification process, to include:
- A Turbo-Tax like experience for creating security plans with full support for CMMC controls and their corresponding categorization of processes and practices
- Guided wizards to walk through each control, establish the policy, describe the implementation, and assess/test compliance
- Ability to categorize controls by their CMMC process and practice maturity level
- Secure evidence collection module allowing the user to attach compliance artifacts that are stored with the control as evidence for auditors (NOTE: All stored artifacts are encrypted at rest with AES-256)
- Real-time dashboards tracking progress over time in completing CMMC certifications
- Deploy anywhere - on-premise, in the government cloud (Azure, AWS), or even on classified/air-gapped networks (or consume it as a Software as a Service (SaaS) when it officially launches this summer)
- Easy to get data in and out - Create fully up-to-date CMMC documentation at the push of a button via a vendor neutral, Compliance Switzerland with 100+ REST APIs for real-time integration with your existing tools
- Most importantly - this software platform will be released as a Community Edition this summer to run in your environment, 100% free to use with no restrictions
We know the CMMC process can be overwhelming for companies that are new to cyber security and lack in house expertise. We wanted to do our part to make it easier and cheaper for organizations to improve their cyber security posture so they can continue their patriotic duties in support of the national security missions of the DoD. While our software platform isn't a silver bullet (you still need to implement the security controls and establish repeatable processes), we hope it helps a little in lowering costs and getting companies off to a good start.
If you would like to apply to participate in our exclusive Private BETA and leverage this platform to develop CMMC documentation, contact us today. Spaces in our Private BETA are extremely limited and are reserved for those who have the cycles to provide active feedback to our development team prior to our official launch. We look forward to releasing this platform this summer to help make our world a safer place via compliance...continuous compliance.