Controlled Unclassified Information (CUI) is any information created by government or an entity working for the government that has regulations in place that define the safeguards or rules for dissemination. For those who are in the Defense Industrial Base (DIB) as vendors there is a standard being set for cybersecurity called Cybersecurity Maturity Model Certification (CMMC). The CMMC framework includes a comprehensive certification to verify the implementation of processes and practices associated with the achievement of cybersecurity. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive CUI down to the sub-contractor level.
The CMMC standard will consist of five levels that are cumulative whereby each level consists of practices and processes as well as those specified in the lower levels. These levels are based on the NIST 800 framework, but expand upon it to including other standards. All new RFPs will include the required CMMC level and companies will not be awarded contracts if they are not certified at that level. To become certified requires an assessment by a CMMC Third Party Assessment Organizations (C3PAOs) to the level required by the Department the DIB is working for. All DIBs are encouraged to have a non-certified assessment be performed before attempting to become certified by a C3PAO.
New rules around the security of payment card data are set to take effect with PCI DSS Version 3.2, beginning April 2016. While changes in the new regulations focus on clarification, providing merchants and payment processors with additional information on expectations and requirements, small businesses will want to pay particular attention to a handful of upcoming revisions.
Rules surrounding the security of protected health information (PHI) are set forth in HIPAA regulations, with the latest changes published in January 2013. These regulations have provided general guidelines and mandates for all covered entities. This includes all vendors that might have access to PHI either physically or electronically will need to have a Business Associate agreement with the covered entity.
Cybersecurity Maturity Model Certification standard applies to all DIB contractors and sub-contractors who work with a government Department. Understanding these standard and how they are to be applied to a DIB is a complicated, time consuming process. Farmhouse Networking will comprehensively evaluate the DIB to determine the needed administrative, physical, and technical safeguards to comply with the CMMC standard. Documentation will be created outlining security practices and breach notification regulations with a comprehensive Information Security Policy for the practice after explaining how CMMC standards will impact your organization. An inventory of the network is done to identify where all current assets reside then deficiencies in network security will be prioritized so that the necessary cybersecurity measures can be implemented to mitigate risk and achieve CMMC assessment compliance.
Things that are typically addressed during the comprehensive evalution of complaince & security are: