The rollout of the Cybersecurity Maturity Model Certification (CMMC, or CMMC 2.0) means it is now more important than ever for defense contractors to ensure that they have a comprehensive cybersecurity program in place. One crucial component of a good cybersecurity program is a System Security Plan (SSP). In this blog post, we'll explain what an SSP is, why it's important for CMMC, and provide tips on developing an SSP.

Comparing XQ with GCC High reveals some important truths for Defense Industrial Base (DIB) (sub)contractors and vendors. XQ is less expensive, faster to deploy, easier to use, and better adapted to today’s risk landscape. For many DIB members, XQ is the smarter choice.

CMMC compliance provides numerous benefits for defense contractors and suppliers. By achieving CMMC certification, your organization can gain a competitive advantage, build relationships with prime contractors, improve its cybersecurity posture, increase trust with customers and partners, reduce liability, and simplify compliance efforts. As the DoD ramps up NIST 800-171 audits and certification requirements for DoD contract eligibility become increasingly imminent, there's no better time to start your organization's CMMC journey. 

Incorporating XQ means you get incredibly safe, secure, and compliant customization on the infrastructure you control. Wherever and however you already work, simplify your sharing, upgrade your security, and achieve compliance quickly, cheaply, and effectively. If you’re still not ready for the May 2023 onset of CMMC, we can help. Book a time to talk, email us, or subscribe to our CMMC newsletter now!

Scoping is a key part of the CMMC assessment process. Per CMMC Assessment Guide Level 2, “The CMMC Assessment Scope informs which assets within the contractor’s environment will be assessed and the details of the assessment.” In other words, scope determines which organizational assets are relevant when conducting CMMC assessment and certification. Scoping can be confusing, so we’ve dedicated this post to simplifying things for our readers.

Are you interested in learning more about preparing for CMMC assessment, including gap analysis, gap closure, and documentation? Read on! If you missed the first post, see Preparing For CMMC Assessment, Part One!

This blog is part one of a two-part series outlining the steps contractors can take, regardless of their unique conditions or approaches, to begin ‘doing’ CMMC. Following these blog posts will be individual posts outlining how to accomplish the listed steps in even greater detail. Today’s blog outlines steps one through three.

Unlike CMMC Level 1, compliance with Level 2 practices cannot be self-assessed. The formal Level 2 CMMC Assessment Process (CAP) can take months to complete! Understand the CMMC Level 2 Assessment Process and begin preparations for CMMC before requirements appear in DoD contracts in May 2023!

This blog introduces

• CMMC Level 2 Requirements

• The formal CMMC Assessment Process (CAP)

CMMC practices are organized into 14 domains, which are categories that reflect the areas of security that the practices cover. These include Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity. Each domain contains a different amount of practices, and with each level of certification, more practices are needed.

While contractors can use outside support (like a Certified CMMC Professional or even C3PAO), CMMC Level 1 compliance is ultimately self-assessed and the contractor's responsibility. Contractors scope and evaluate their compliance using the CMMC Level 1 Assessment Guide, based on the assessment guidelines described in NIST Special Publication (SP) 800-171A Section 2.1 and whose practices align with FAR Clause 52.204-21. 

What is the Difference Between CMMC 1.0 and CMMC 2.0?

After the initial version of CMMC (CMMC 1.0) was met with widespread criticism, the DoD modified the framework. The DoD replaced the 2019 framework with CMMC 2.0 in 2021. It is a more dynamic, flexible, and industry-friendly version of the original. CMMC's redesign is focused on reducing compliance and certification costs, especially for small businesses; building trust in the assessment ecosystem; and (3) redefining CMMC cybersecurity requirements in alignment with widely recognized cybersecurity standards.

Malicious cyber actors are increasingly targeting the Defense Industrial Base (DIB) sector and the Department of Defense (DoD) supply chain. By exploiting vulnerabilities in cyber security, bad actors can steal valuable intellectual property and sensitive information, undercutting technical advantages, impairing innovation, and increasing risks to national security. The Cybersecurity Maturity Model Certification (CMMC) is a product of the Department of Defense’s (DoD’s) need to protect American interests against this growing threat.

CMMC improves, standardizes, and verifies cyber hygiene practices across the DIB. It outlines the required cyber security measures DIB members must take to protect non-classified, sensitive information across three maturity levels. Each level prescribes security practices commensurate with the sensitivity and risk of a specific category of information or data.