CMMC 2.0: A Roadmap to Compliance with Trustwave

October 01, 20244 Minute Read

The U.S. Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) 2.0 has passed through the Office of Information and Regulatory Affairs and is now on its way to Congress, set to become law by Q4 2024. With the CMMC becoming official law, its full implementation in defense contracts will occur through a phased approach over three years starting in 2025.

The DoD and industry experts emphasize that contractors and subcontractors should be actively working now on their National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 implementation and CMMC compliance preparation.

Are you prepared?

If you're a DOD contractor or subcontractor, it's crucial to understand the CMMC 2.0 requirements and ensure that your organization is compliant. That's where Trustwave comes in.

Trustwave has developed the CMMC Readiness Accelerator to help clients and all organizations understand and work within CMMC 2.0. Trustwave's accelerator program is designed to create a comprehensive roadmap to help current and potential contractors and subcontractors meet the stringent requirements set forth by the DoD.

What is the Trustwave CMMC Readiness Accelerator?

The Trustwave CMMC Readiness Accelerator provides you with a roadmap to prepare your security programs for CMMC certification.

Trustwave's approach to achieving CMMC certification is thorough and tailored to your specific needs. The process begins with requirements gathering, where Trustwave collaborates with you to outline the CMMC requirements and identify in-scope systems based on the desired compliance level. This involves a detailed review of CMMC documentation, guidelines, and practices, as well as identifying relevant systems and processes.

Next, Trustwave conducts a gap analysis to pinpoint weaknesses or deficiencies in your current security programs. This includes reviewing your existing system security plan (SSP), policies, procedures, and technical controls to identify areas needing improvement.

Finally, Trustwave works with you to develop a prioritized roadmap tailored to your specific needs, based on the findings from the gap analysis. This roadmap includes recommendations for addressing identified weaknesses and enhancing your cybersecurity posture.

Trustwave can also help you implement changes to your security in alignment with the CMMC requirements. Implementation services may include the corrective actions from the roadmap or any other activities that you are looking to put in place to increase your security maturity.

In general, this may include:

1. Implementing security controls and practices
2. Documenting cybersecurity processes and practices
3. Conducting testing services and implementing managed security services
4. Installing and optimizing security tools and products

Furthermore, Trustwave can also work with you and relevant third parties to conduct a 'mock' CMMC assessment (i.e., pass or fail) in preparation for your certification.

Key Benefits of the Trustwave CMMC Readiness Accelerator

The Trustwave CMMC Readiness Accelerator offers several key benefits. Firstly, it provides access to a team of Trustwave consultants who possess deep subject matter expertise in governance, risk, and compliance. This expertise helps you achieve greater visibility into the data assets you are responsible for securing.

Next, the program aids in identifying security weaknesses and implementing corrective actions to meet CMMC requirements. By proactively protecting security investments from potential vulnerabilities, you can ensure that you are well-prepared for upcoming visits from assessors. Ultimately, the Trustwave CMMC Readiness Accelerator prepares you to win government contracts that require CMMC certification.

Additionally, Trustwave is a Registered Practitioner Organization (RPO) with the Cyber AB, which is the official accreditation body of CMMC. As an RPO, Trustwave has access to the Cyber AB's CMMC Readiness Tool (CRT), which provides the following key benefits:

• Ensures that the evaluation is conducted using the tool provided directly by the CMMC accreditation body.
• Provides an effective way to manage CMMC compliance gaps and remediation activities, including ownership and responsibilities.
• Enables effective information sharing with relevant auditors, C3PAOs, governing bodies, and other appropriate stakeholders.
• Saves time and resources by streamlining the review and analysis process.
• Provides advanced dashboarding capabilities, demonstrating trends and progress over time.

Why CMMC 2.0 is Vital for Keeping Information Safe

The DoD currently mandates that all contractors and subcontractors adhere to specific cybersecurity standards, and with the introduction of CMMC 2.0, this requirement becomes even more demanding. With the expected inclusion of CMMC 2.0 in contracts starting in 2025 it means that organizations must not only comply with these standards but also demonstrate their compliance effectively by getting certified at the appropriate level before a contract is awarded.

To meet the CMMC requirements, organizations need to address two fundamental questions:

• Is your cybersecurity maturity at the level required to receive an award for the DoD contracts you are bidding on?
• How can you implement and maintain compliance with these new best practices for managing cybersecurity?

The Trustwave CMMC Readiness Accelerator is tailored to answer these questions, providing a clear and actionable roadmap to prepare your security programs for CMMC certification. Depending on your certification goal, Trustwave will provide guidance and remediation planning to align your practices with CMMC standards.

Breaking Down CMMC 2.0

CMMC is a DoD program to safeguard sensitive information that is shared by the DoD with its contractors and subcontractors. CMMC is designed to enforce protection of federal contract information (FCI) and controlled unclassified information (CUI) in alignment with DoD's information security requirements, while keeping the supply chain running safely. The NIST SP 800-171 and 800-172 serve as the basis for these protection measures.

CMMC is codified as part of the Defense Federal Acquisition Regulation Supplement (DFARS) within the Code of Federal Regulations. The CMMC program is overseen by the Office of the Under Secretary of Defense for Acquisitions and Sustainment. The DoD has designated an independent non-profit organization, the Cyber AB, to manage the certification and accreditation process, which is at the core of CMMC. The DoD and the Cyber AB work together to implement the CMMC program from end to end.

The new CMMC 2.0 program has three levels of compliance:

• Level 1 (Foundational): Applies to organizations that focus on the protection of FCI. It includes 17 practices based on FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.
• Level 2 (Advanced): Builds upon Level 1 requirements to include 110 practices based on NIST SP 800-171, introducing additional practices to increase security maturity. This level has additional requirements to ensure the protection of the two types of CUI data - prioritized and non-prioritized.
• Level 3 (Expert): Builds upon Level 2 requirements to introduce an additional subset of practices based on NIST SP 800-172, intended to protect CUI from advanced persistent threats (APTs).

Microsoft & CMMC

The last piece of the puzzle is the connection with Microsoft. Microsoft provides a Microsoft Sentinel CMMC solution, which empowers governance and compliance teams to design, build, monitor, and respond to CMMC requirements across cloud, on-premises, hybrid, and multi-cloud workloads. The solution contains a workbook, analytics rules, and playbooks.

Trustwave is endorsed and validated by Microsoft as a leading cybersecurity partner. Trustwave can help enable CMMC reporting in Microsoft Sentinel via the Trustwave Accelerator for Microsoft Sentinel service. This service provides you with a roadmap to accelerate value and security outcomes from Microsoft Sentinel.

By partnering with Trustwave, you can confidently prepare for CMMC certification and be ready to secure and maintain DoD contracts. Trustwave's expertise and comprehensive approach provide the guidance and support needed to navigate the complexities of CMMC 2.0, making compliance a seamless and achievable goal.

Trustwave Adds a Twist to Cybersecurity Awareness Month: More Security!

2024 Election Threats: Misinformation, Deepfakes, and Cybersecurity

Trustwave SpiderLabs' Red Team Flight Tests Microsoft Copilot