Understanding Cybersecurity Maturity Model Certification (CMMC)
[ZOOM EVENT] Wednesday, June 23, 2021 @ 11AM-12PM ET REGISTER HERE
PRE-ASSESSMENTS REVEAL BANNED SOFTWARE & HARDWARE STILL IN USE
By Ken Michael
Companies involved with the defense industrial base (DIB) hoping to conduct future business with the United States Department of Defense (DoD) are preparing for Cybersecurity Maturity Model Certification (CMMC). As part of their preparation, many are undergoing pre-assessments where Dox Electronics’ professional assessors are discovering that many are still using software and hardware which could jeopardize their achieving CMMC compliance and, thus, future DoD contracts as a result.
Dox isn’t alone in its findings. According to an online article by Clearance Jobs, other technology and security firms have also discovered many defense companies are still utilizing software and hardware that has been banned. If this isn’t updated prior to undergoing a CMMC audit with a CMMC Third-Party Assessor Organization (C3PAO), the companies will not achieve certification and will remain ineligible to contract with the DoD.
What pre-assessments are showing is that many companies are overlooking security vulnerabilities, didn’t understand what software and hardware had been banned, or simply didn’t know what CMMC requirements fully entailed. For example, smart speaker devices have been found in sensitive locations that could easily be hacked to gather information, banned security cameras have been found in use, and networks have not been properly air-gapped, which may have led to the recent ransomware attack on the Colonial Pipeline Company.
Banned Software and Hardware
The U.S. government prohibits contracting for hardware, software, and services developed or provided by Russian-based software company Kaspersky Lab as well as several items from Chinese companies. This ban includes use by U.S. government agencies ranging from civilian to defense contractors and subcontractors conducting business with the DoD.
Effective Aug. 13, 2020, the Federal Acquisition Regulation (FAR) 52.204-24 began prohibiting businesses contracting with the DoD, general services administration (GSA), or National Aeronautics and Space Administration (NASA) from using certain equipment or services produced by Chinese companies. Organizations contracting with the U.S. government must manage their supply chain when it comes to fulfilling product and service orders. As of last year, Chinese companies can no longer be used as suppliers for telecommunications and surveillance equipment by contractors or subcontractors that supply goods and/or services through government contracts.
Assets and Security
The Cybersecurity and Infrastructure Security Agency (CISA) offers the Continuous Diagnostics and Mitigation (CDM) Program which “provides a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program delivers cybersecurity tools, integration services, and dashboards that help participating agencies improve their security posture.” This is accomplished by helping contractors and subcontractors identify their cybersecurity risks and take measures to mitigate those risks.
Shoring Up Holes
The first piece to shoring up holes in your company’s cybersecurity starts with knowing your assets and identifying your cyber risks. Identify all assets from data to software and hardware used within your organization’s network and physical premises. Once you have identified your data, you can determine how it should be classified, secured, stored, and destroyed. You should then ensure you are using the best tools for network monitoring and security from firewalls to antivirus programs and beyond.
Dox also recommends that any business involved with the DIB take a close look at all software and hardware assets being utilized within their digital or physical network. In addition to Kaspersky Lab software and hardware, companies are also warned to weed out any of the Chinese-produced hardware and software that is also on the banned list which may include a plethora of telecommunications and surveillance equipment such as security cameras. This can help ensure no banned items are still being used which means moving closer to achieving CMMC compliance prior to undergoing the formal CMMC audit with a C3PAO.
CMMC Level 3 Pre-Assessments
It is highly recommended that any business wishing to achieve CMMC compliance undergo a CMMC Level 3 Pre-Assessment with an RPO such as Dox Electronics. Undergoing a pre-assessment can save time and money that would otherwise be wasted on the CMMC audit with a C3PAO by an underprepared organization. Such pre-assessments can be conducted in a timely fashion to support companies in their preparation for achieving Cybersecurity Maturity Model Certification.
Don’t wait to identify banned assets within your company. The U.S. government is moving ahead with CMMC contract requirements now. For more information on achieving CMMC compliance, identifying banned software or hardware within your company, or to set up a CMMC Level 3 Pre-Assessment for your business with Dox, call (585) 473-7766 today. The initial call is free and there is never any obligation.