DOD has released the official version of CMMC 2.0. What does this mean for defense suppliers?
DOD planned a phased rollout of CMMC in fiscal years 2021-2025. If your company wants to win DOD contracts that include CMMC, you will have to be CMMC compliant at the time of contract award.
CMMC Assessors and Assessments: Unlike previous compliance programs where you could self-certify your compliance, there will be an army of CMMC assessors that will act as a third party to review, inspect and certify that you are compliant. The time to get ready for those assessments is now.
How can the CMMC Academy help out? We will provide both general background and update information about CMMC as well as information on the specific practices your company may need to comply with. This CMMC practice-oriented area will include:
CMMC Research - A way for you to indicate which areas of CMMC are difficult to understand
CMMC Augmentation - The Academy will work to provide further insights about CMMC practices via assessment and implementation notes, panel discussions, videos, Q&A, and more.
Please beware of scam companies. The Department of Defense has warned vendors about companies falsely claiming they can get other vendors certified under CMMC. We do not claim to be experts on CMMC. We provide information and opinions. We have no intention of being a certifier or C3PAO organization. The CMMC Academy is a free initiative of Celerium Inc.
View Our latest Video:
DOD CMMC Summary
The goal of the DOD CMMC initiative is to prevent sensitive data from being stolen by
from the 300,000 DOD contractors and subcontractors. The two key types of information DOD wants to protect
but Unclassified Information ("CUI") and Federal Contract Information ("FCI").
The main concerns of DOD include a) the theft and use of this information against the national security interests of the United States and b) theft of intellectual property that results in an estimated $600 billion loss to the U.S. economy.
The Bottom Line: Five Key Takeaways You Should Know
Impact on my company: Going forward, companies desiring to win defense contracts (based on RFIs and RFPs) will need to comply with new cybersecurity standards based on CMMC.
Assessments (audits): Unlike in past compliance programs, defense suppliers will no longer be able to "self-certify" or simply declare their compliance; they will be reviewed by reviewed and approved by assessors and third-party assessment companies called C3PAO (CMMC Third Party Assessment Organizations).
Phased rollout in 2021-2025: DOD and the CMMC Accreditation Body have planned a phase rollout of CMMC implementation in fiscal years 2021-2025. Starting in fiscal year 2021, the department will pilot the implementation of CMMC requirements for Level 3 and below on select new acquisitions.
Your suppliers: In many cases, it may not be sufficient for your own company to be CMMC certified. If your company needs to use suppliers, those companies may also need to be CMMC certified. You should encourage, and perhaps facilitate, their compliance.
Learn more about CMMC here.
Sponsored by Celerium
Cyber Threat Intelligence for August 10, 2022
Threat Spotlight:Automotive supplier breached by Lockbit, Hive, and BlackCat ransomware gangs in two week span via RDP.
All three threat actors exploited a firewall rule exposing RDP on a management server but used different ransomware strains and tactics.
Threat Spotlight: Cisco hacked by Chinese Yanluowang ransomware gang.
Threat Spotlight:Actor utilizes new RAT malware in Cuba ransomware attacks.
CMMC Insights: Training on Implementation by Implementers
These online-only courses provide CMMC training to companies looking to comply with CMMC. The courses are created by an experienced team of cybersecurity implementers with years of experience on NIST standards.
Implementing CMMC will be different for every company. And with the U.S. government doubling down on cybersecurity, it's important to get it right. So where is the best place to start?
Our CMMC Insights courses were created to help companies looking to comply with CMMC understand how to implement the practices. Our team has years of experience implementing NIST 800-53.
One-year access to the learning portal is provided, and we will provide updates on changes to CMMC as clarity is provided on items such as reciprocity. Don't wait -- get started on your CMMC assessment preparation now.
CMMC Academy Events
Latest Video: CMMC 2022 Spring update
The ever-evolving roll out of CMMC 2.0 may have you wondering if your understanding of the 2.0 program is up to date. To level set you on the 2.0 program and requirements, practices and processes, please watch the video displayed below. Celerium’s Chief Operations Officer, Chris Gundel, provides what you need to know, and do, to enable your company to do business with the DoD.
THIS SERVICE AND THE CONTENT THEREIN ARE FOR INFORMATIONAL PURPOSES ONLY, AND ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS WITH ALL FAULTS, ERRORS, DEFECTS, INACCURACIES AND OMISSIONS. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, CELERIUM INC. EXPRESSLY DISCLAIMS ALL WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF INTELLECTUAL PROPERTY. CELERIUM INC. MAKES NO REPRESENTATION, CONDITION OR WARRANTY AS TO THE SERVICE OR ANY CONTENT, OR THAT YOUR USE OF THE SERVICE OR ANY CONTENT WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR FREE OR THAT DEFECTS WILL BE CORRECTED. CELERIUM INC. MAKES NO REPRESENTATION OR WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICE OR ANY CONTENT. CELERIUM INC. DOES NOT IN ANY WAY GUARANTEE, AND SHALL NOT BE LIABLE FOR, THE ADEQUACY, QUALITY, ACCURACY, COMPLETENESS, WORTH, OR TIMELINESS OF CONTENT THAT IS MADE AVAILABLE OR OBTAINED BY WAY OF THE SERVICE. CELERIUM INC. MAKES NO REPRESENTATIONS, WARRANTIES OR GUARANTEES OF ANY KIND, EXPRESS OR IMPLIED, AS TO THE OPERATION OF THE SITE, SERVICE OR THE INFORMATION, CONTENT, MATERIALS OR ANY PRODUCTS OR SERVICES INCLUDED THEREIN. SOME JURISIDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. YOU HAVE THE SOLE RESPONSIBILITY FOR ADEQUATE PROTECTION AND BACKUP OF YOUR DATA OR CONTENT AND/OR YOUR EQUIPMENT USED IN CONNECTION WITH THE SERVICE.