703-345-5833 info@rimstorm.com

July 23, 2020

Government contractors need to reach CMMC Level 3 at bare minimum. That is, if they want to remain government contractors. An audit is a lot more unforgiving than you might think. In today’s blog, we’re going to share with you why this is and why it’s so critical for you to reach Level 3 right now — not later.

Anyone handling CUI is required to be at least CMMC Level 3 compliant.

Controlled Unclassified Information (CUI) is defined as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.” If your job is to handle CUI in any way, shape or form, CMMC Level 3 is a requirement by federal law. There are no exceptions to this.

All practices from NIST 800-171 must be implemented.

In addition to every practice outlined in NIST 800-171, there are 20 extra practices required for CMMC Level 3. This distinction is very important. If a single practice is missed, the audit will result in compliance at Level 2, not Level 3.

Some of the additional required components for Level 3 that are not part of NIST 800-171 generally cover the following:

  • Logging, monitoring, incident response and reporting capabilities with a SIEM or similar technical solution
  • Having the ability to backup and restore data through tested, comprehensive and secure backup platforms.
  • Separating management of unsupported products with network restrictions and regular risk assessments to identify vulnerabilities
  • DNS filtering, spam protection and email sandboxing to protect against malicious traffic.

CMMC requires full compliance at the time of assessment.

Plan of Action and Milestones (POAMs) are commonly used by government contractors to delay and avoid fixing certain security deficits. Historically, they could “get away” with not being fully compliant by using a POAM that basically states they will fix the issues in the future.

With CMMC, however, there are no POAMs. Federal contractors dealing with the DoD and CUI must meet NIST 800-171 requirements, and they must be fully compliant to the appropriate level at the time of the audit. Otherwise, they will not achieve the certification. There’s simply no leeway or negotiation on this anymore.

At Rimstorm, we have a number of services that will help a government contractor achieve CMMC compliance if they are deficient in certain areas — including our MDR offering, Cyber Managed Security Services, EDR (Endpoint Detection and Response) and DNS/Domain security. Contact us today for a consultation and let us help you ace your CMMC audit.