Category: CMMC

CMMC – Acronyms to Know

CMMC: Acronyms to Know

By Heather Bennett

October 24, 2022

Have you ever been in a conversation where everyone used letters instead of words and you had no clue what they were talking about? This happens quite often in the IT and cybersecurity world. Groups of people that specialize in these areas shorten frequently used terms to make conversations go faster. Someone from outside that group may not be familiar with those acronyms and they may be lost as to the relevance of those acronyms to the conversation.

The first time I heard this happening, I thought my colleagues were speaking a foreign language. Luckily, with time and exposure I began to understand what the acronyms meant. This will happen to you as you begin to use and understand the language of CMMC. But until then, I have compiled a list of acronyms and their meanings to help increase your knowledge about CMMC and fast-track you to CMMC conversation excellence!

See the Cyber-AB CMMC Glossary and Acronyms for additional detail

Helpful Guide

You can now download this PDF for future use!

DOWNLOAD

Next Steps

Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can put you are on the path to success!

Until then, be safe and stay secure!

About Us

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments, security consulting, or CMMC certification, we have the expertise to help. Contact us at (615) 807-2822 or at info@provincia.io to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

Be The First

to Know

When New Blog Content is Published

Contact Information

Social Networks

Links List

ABOUT US

Provincia Government Solutions is a SBA certified Small Business cybersecurity assurance firm and a CMMC Certified Third Party Assessment Organization (C3PAO). We were the first organization to become a C3PAO in the Middle Tennessee (Nashville) area and provide a full range of services including CMMC consulting and certification assessments. Our assessment team is trained in CMMC and other government assessment disciplines and we are experienced working with organizations of all sizes. Please reach out with any cybersecurity or CMMC related inquiries. We look forward to speaking with you!

Taking the Pain Out of Audit Readiness

By Sese Bennett

October 20, 2022

Preparing for audits is no small task. Whether it is a single small audit or multiple enterprise audits, it’s a grueling process. It can sap the strength out of any organization and lead to poor audit performance.

So, how do you prepare for an audit? Most organizations choose to pull resources from their existing job responsibilities or assign the audit to a project manager. As you can imagine, both of these approaches come with a level of impact that can tax your resources. So, let’s rephrase the question – How do you prepare for an audit in a way that benefits your organization?

The article below will discuss how to remove the pain from the audit preparedness process so that you can realize the benefits of a no-nonsense approach.

Audit Readiness - What is required?

Preparing for an audit involves several steps including reviewing your existing control status, scheduling resources, and collecting artifacts to satisfy evidence requests. How do you accomplish this while ensuring that you are adequately prepared to respond to the audit?

Re-assign Resources Approach

As mentioned previously, one approach is to re-assign existing resources to assist with the audit. While this approach can be successful, what impact will it have on your organization? Pulling resources from their daily job responsibilities can increase stress in the environment and lead to low-quality responses for your audit requests. Here are a few pros & cons for this approach.

Pros:

Internal resources may be more familiar with the environment
No need to bring in additional personnel
A single point of contact for interviews, artifacts and follow-up (audit response)

Cons:

Audit resources are split between the audit and other responsibilities
Additional tasks can stress resources leading to poor audit response
If internal resources are siloed, they may not familiar with overall audit process
Remediation efforts may conflict with assigned operational tasks

Project Management Approach

Another approach is to assign a project manager to head up your audit preparedness efforts. This approach is often successful in managing the timeline of the audit but may cause confusion due to the lack of familiarity with the technical aspects of audit requirements. One of the most prevalent evidence collection issues is that the evidence provided does not always match the evidence requested. This too can lead to frustration on the part of the audit team and the client causing delays and low-quality responses for audit requests. Here are a few additional pros & cons for this approach.

Pros:

Project managers are excellent at keeping projects performing and on schedule

Cons:

Project Managers may not be familiar with the technical aspects of the environment
Project Managers may not be technically savvy enough to interpret evidence request properly
Project Managers may not have the knowledge to validate evidence/artifacts properly
Evidence collection and management may not a high priority for the overall project

Taking the Pain Out of Audit Readiness

Provincia Government Solutions takes the pain out of audit preparation by providing the best of both approaches. We provide you with a highly experienced audit coordinator that is focused on assisting your team with:

Interpreting audit request
Reviewing evidence artifacts for accuracy and applicability
Scheduling appropriate resources for interviews and demonstrations
Developing and documenting a repeatable readiness process
Interfacing with your organization’s technical and project management resources
Flexibility – readiness assistance on demand or as a continuous contractor member of your team

Next Steps

Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can help you tackle the headache of audit readiness and put you are on the path to success!

Until then, be safe and stay secure!

About Us

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published

Contact Information

Social Networks

Links List

ABOUT US

CMMC – Understanding Maturity Levels

CMMC: Understanding Maturity Levels

By Heather Bennett

October 17, 2022

In keeping with our CMMC theme, we are going to delve into a topic that has seen some change. There are many articles on this topic online. Sadly my most recent google search revealed that the old inaccurate information is quite prevalent. Hopefully this will alleviate some confusion and get everyone on the same page.

If you have spent any time trying to figure out where you belong in the CMMC ecosystem, you have more than likely heard the term CMMC Maturity Level. This is not an “act your age, not your shoe size” thing. This is the level at which your company will be assessed against the CMMC standards.

CMMC Maturity Levels: Then and Now

The original goal of the CMMC was to safeguard sensitive information. CMMC 2.0 was introduces in November of 2022 with some significant changes. Most notably was the change in Maturity levels. This change was facilitated to minimize barriers to compliance with DoD requirements while still ensuring accountability for companies to implement cybersecurity.

The first version of CMMC had 5 Maturity levels ranging from Basic to Advanced. The assessment requirements for this model were confusing and impractical for most small businesses operating as contractors or subcontractors. After much consideration, the levels were simplified and better defined. CMMC 2.0 was born.

CMMC 2.0 has only three maturity levels which are Foundational, Advanced, and Expert. However, the reduction in levels is not that only notable change. The change in assessment requirements was also huge change that was much needed for small businesses. This change made it easier for compliant small businesses to meet the CMMC requirements. Why is that the case?

How Mature Are You?

Level 3

As mentioned previously, CMMC 1.0 included five maturity levels including a level 4 and a level 5 Maturity Level. These two levels were defined by the type of CUI and FCI they protected with levels 4 and 5 earmarked for protecting the most sensitive CUI data types. CMMC version 2.0 combines these two levels into what we now know as CMMC 2.0 Maturity Level 3.

CMMC 2.0 Maturity Level 3 is still intended to protect the same sensitive CUI but with a simplified approach. But Additionally, CMMC 2.0 Maturity Level 3 will now require the DIB contractor to have a government-led assessment.

Level 2

What was once known as CMMC 1.0 Maturity Level 3 and Level 2, has now become CMMC 2.0 Maturity Level 2. Level 2 handles CUI and FCI of a less sensitive nature. With 110 practices, this level is required to have an assessment every three years by a C3PAO, and an annual self-assessment for some programs.

Level 1

The new CMMC 2.0 Maturity Level 1 retains much of the same parameters as the previous CMMC 1.0 Maturity Level 1. CMMC 2.0 Maturity Level 1 remains at 17 practices to be assessed. The big change here is that these companies will be able to perform an annual self-assessment. This drastically reduces the cost for small businesses that handle only FCI. This new approach also allows them to demonstrate that they are protecting the FCI without incurring the cost of a third-party assessment.

Upcoming Blog

We will discuss some need-to-know acronyms in the next article. This article will help you learn the language of CMMC.

Be sure to subscribe to our blog and check out our new podcast for more in depth discussion of all things cybersecurity.

Next Steps

Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can put you are on the path to success!

Until then, be safe and stay secure!

About Us

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published

Contact Information

Social Networks

Links List

ABOUT US

cmmc cybersecurity itaudit smallbusiness

CMMC – Why Me?

CMMC: Why Me?

By Heather Bennett

October 10, 2022

If you found this blog, chances are you just found out you are required to be CMMC certified. You don’t know what that means, did a web search, and now you’re here. Let me be the first to welcome you to the world of CMMC. It’s nice here, we have (virtual) cookies.

In this article, we are going to cover the who, what, when, and whys associated with CMMC. This will be a brief overview as most of these topics will be covered in depth in future articles. Now is not the time get educated on CMMC!

The Who, What, When, and Why of CMMC

Who

Who is who regarding CMMC?

“The Defense Industrial Base Sector is the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.” (cisa.gov)

The DoD requires certification from all DIB contractors and subcontractors. The DoD has estimated that over 300,000 companies will be affected.

What

What is CMMC?

CMMC is a certification required by the US Department of Defense (DoD). It is a new certification model to ensure all contractors and subcontractors of the DOD properly protect sensitive information.

When

When will this happen?

The DoD began unveiling contracts with CMMC requirements in 2021. Each subsequent year will add more contractors. It is expected that CMMC will be a requirement on all contracts by October of 2026.

Why

Why am I being required to be CMMC certified?

CMMC was developed to ensure the protection of Federal Contact Information (FCI) and Controlled Unclassified Information (CUI). FCI and CUI can contain sensitive information that could jeopardize the nation’s security if it fell into the wrong hands. An interesting article talking about just that can be viewed here.

Upcoming Blog

The requirements to become CMMC Certified will vary on the extent of FCI and CUI a company handles. We will cover the CMMC Maturity Levels in the next article. Keep up to date with all things CMMC by subscribing to our weekly blog.

Next Steps

Are you ready for Provincia Government Solutions to help you? If so, reach out to our team and let’s talk. We can put you are on the path to success!

Until then, be safe and stay secure!

About Us

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published

Contact Information

Social Networks

Links List

ABOUT US

cmmc cybersecurity itaudit smallbusiness

So, You Need To Be CMMC Certified?

So, You Need To Be
CMMC Certified?

By Sese Bennett

November 14th, 2019

So, you need to be CMMC certified? If you’re like most small to mid-sized companies, you’re asking yourself – “What do I need to do to meet the CMMC requirements?” That is the million-dollar question.

Logically speaking, to pass an assessment, you need to know and understand what you’re being assessed on, and what is considered a “passing” grade. We hope this blog will assist in that understanding.

If you do not have any idea of what CMMC is, I encourage you to review our previous two blogs on the subject for a basic breakdown of the program. Since the articles were written, the CMMC program has matured a bit, but it should still give you the background you need to get up to speed.

So, let’s jump right in!

CMMC Levels

The first thing that should be on your radar is to determine what Cybersecurity Maturity Model Certification (“CMMC”) maturity level you are seeking as an organization. If you are storing, processing, or transmitting only Federal Contract Information (“FCI”), then you are likely only seeking CMMC Maturity Level 1 (“ML-1”) certification. If you are storing, processing, or transmitting anything else, then you are most likely seeking Maturity Level 3 (”ML-3”) or above. This is an overly-simplified description of the maturity level designations but hopefully it’s enough to get you going in the right direction.

Now for the good news! If your seeking ML-1, consider that the EZ button of the certification levels. ML-1 certification requires that your organization demonstrate compliance with seventeen (17) CMMC controls and meet a set of basic cyber hygiene requirements. These requirements are focused on validating what you are doing at the time of the assessment. Another way of putting it is that ML-1 is focused on performing the practice versus documenting the practice.

This means that technically your organization will not fail a ML-1 assessment because of the absence of practice documented. But in reality, you will need to have some sort of documentation available to show that your organization is performing the practice. Subsequently, it may be acceptable to provide informal or less detailed documentation to the CMMC assessor when reviewing ML-1 controls.

While we are on the subject of passing or failing, let’s talk about what that means in regards to CMMC. It should be noted that the CMMC certification is an all-pass or all-fail assessment. This means that you must pass all of the required practices for ML-1 in order to qualify for the certification.

Now, let’s do a quick breakdown of what those seventeen (17) ML-1 controls are looking for:

Access Control

The first four (4) practices are based on the Access Controls (“AC”) practice family. These practices are designed to ensure that your organization properly limits access to authorized personnel, employs the privilege of least privilege by only giving the level of access that fits the users job role or responsibility, connections to external systems, and control of what is posted to publicly accessible systems such as websites on the internet. (AC.1.001, AC.1.002, AC.1.003, AC.1.004)

Identification and Authentication

The next two (2) practices are based on the Identification and Authentication (“IA”) practice family. These two practices focus on identifying your users and services acting on their behalf to include things like service accounts or other accounts that may be device based. Additionally, this practice area examines how you authenticate (or verify) the identity of users, processes, and devices prior to allowing access to your systems. (IA.1.076, IA.1.077)

Media Protection

The Media Protection (“MP”) practice family contains only one (1) practice to consider for ML-1. The practice focuses on how you sanitize or destroy media containing Federal Contract Information (“FCI”) before disposal, release or reuse. (MP.1.118)

Physical Protection

The next four (4) practices fall under the Physical Protection (“PE”) practice family. These practices focus on limiting physical access to your systems, equipment and their respective operating environments to authorized individuals. This practice family also includes how visitors are handled when they visit your facilities, how audit logs are maintained, and how physical access devices like badges, access cards, etc. are controlled and managed. (PE.1.131, PE.1.132, PE.1.133, PE.1.134)

System and Communications Protection

The System and Communications Protection (“SC”) practice family contains two (2) practices that you need to consider. The first one focuses on monitoring, controlling, and protecting communications transmitted, or received by your systems at your key internal and external boundaries. The second practice examines how you are physically or logically separating your internal network from publicly accessible systems. (SC.1.175, SC.1.176)

System and Information Integrity

That brings us to the last practice family for those organizations considering ML-1 CMMC certification. System and Information Integrity (“SI”) contains four (4) practices that focus on identifying and correcting system flaws (patching) in a timely manner. Malicious code protection and how malicious code mechanisms are also examined as part of this practice family. Finally, periodic and real-time scanning is examined as part of reviewing files from external sources as they are downloaded, opened, or executed. (SI.1.210, SI.1.211, SI.1.212, SI.1.213)

Next Steps

Now that you’re a CMMC ML-1 one expert, are you ready to get started on your CMMC journey? We certainly hope so. If you need assistance getting prepared, feel free to reach out and our team. We can help you prepare by conducting a readiness review to make sure you are on the path to success!

Be on the lookout for our next article in this series where we discuss the CMMC Maturity Level 2 (ML-2) designation, how it differs from ML-1, and how it fits into the overall CMMC ecosystem.