CMMC - What Companies Struggle with the Most
By: Omer Kaan Aslim
May 28, 2020
Here are the top cybersecurity compliance requirements DoD contractors struggle with the most.
In 2019 the Inspector General of the U.S. The Department of Defense released a report titled “Audit of Protection of DoD Controlled Unclassified Information on Contractor-Owned Networks and Systems”. The report was the result of an audit of DoD subcontractors and their implementation of the NIST SP 800-171 framework of security controls. CMMC draws many of its security requirements from NIST SP 800-171.
Here are the top deficiencies identified in the report:
- Using multi-factor authentication;
- Enforcing the use of strong passwords;
- Identifying network and system vulnerabilities;
- Mitigating network and system vulnerabilities;
- Protecting CUI stored on removable media;
- Overseeing network and boundary protection services provided by a third-party company;
- Documenting and tracking cybersecurity incidents;
- Configuring user accounts to lock automatically after extended periods and unsuccessful logon attempts;
- Implementing physical security controls;
- Creating and reviewing system activity reports;
- Granting system access based on the user’s assigned duties.
What you should do:
We developed an application to help contractors meet their new CMMC requirements. Through the application, our cybersecurity team conducts a gap analysis for you. Using the results of the gap analysis we create a project plan specifying how to implement your absent CMMC practices. The entire process is self-paced. If you would like to learn more, reach out to us for a demo.
How we can help:
As of yet, non-DoD contracts do not require CMMC. There has been talk that the rest of the federal government may adopt it in the coming years.
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance