CMMC Final Version of the Cyber Security Standard are Here, but wait...

In the last couple of weeks, Trusted Internet has been involved with dozens of companies struggling to become CMMC compliant -even as the final standards were being rolled out.

Here are a few lessons learned:

  • This is incredibly hard for small companies —and more expensive than most of them thought becoming compliant would be.

  • Tools thought to be secure, aren’t good enough.

  • And, yes, the government is willing to monitor your networks if need be.

Those are big words. Let me explain:

This is incredibly hard for small companies —and more expensive than most of them thought becoming compliant would be.

There are 93 controls that must be implemented to meet what is expected to be the basic standard (CMMC L3) for many of the defense contractors today. For example:

  • A306: Requires the identification of CUI. While many understand the need for this, catalogs defining CUI are still rather broad in definition. The alternative (for small companies) is to handle EVERYTHING as CUI. Unfortunately, from an audit perspective, this doesn’t fit the bill. What’s the right answer? Not sure.

  • C036: Requires a code review of software developed internally for internal use. Again, this is something that we as security professionals understand the need for, but not one company that we’ve interviewed even knew what this means.

Tools thought to be secure, aren’t good enough.

Here’s a perfect example. Microsoft Office 365, the primary email system in every company that we’ve talked to so far, is finding out the O365 unless transitioning to the (very) expensive version of O365 in the Government Computing Cloud, doesn’t qualify as compliant with CMMC.

The fix? Companies are being told to spend thousands of dollars to move to GCC, or, they can buy an email system that meets the FIPS 140-2 and auditing requirements —many times requiring a company to purchase a plug-in email system (at an additional cost), or replace O365 email with something that is compliant.

And, yes, the government is willing to monitor your networks if need be.

  • Two companies so far (it’s still early) have sent us advertisements received from DoD touting a firewall that can be purchased for little money, with one year of free service, but it comes wtih a catch —DoD can monitor the dashboard for your company.


Trusted Internet can help you prepare for your required Cybersecurity Maturity Model Certification (CMMC) today

Trusted Internet offers a CMMC package to help our clients prepare for this critical federal government requirement.

Purposefully built by former leaders in DoD's cybersecurity and information assurance programs, Trusted Internet's Managed Detection & Response offering, paired with our standardized architecture satisfy most of the current technical requirements needed to comply with NIST 800-171. Everything is monitored and protected 24x7. It will instantly raise your CMMC readiness starting on the first day of installation.

To complete your compliance requirements, we've partnered with a DoD Auditing company in Huntsville, AL to prepare you for your final certification audit.

For more information, contact us at info@trustedinternet.io or 800-853-6431