Snapshot About Us

Cyber Risk Management | Cybersecurity is a Team Sport
Sera-Brynn is a veteran owned and operated, cybersecurity firm focused on audits and assessments, cyber risk management, and incident response. The headquarters are in Chesapeake, Virginia near the seven cities of Hampton Roads: Norfolk, Portsmouth, Hampton, Newport News, Suffolk, Chesapeake, and Virginia Beach. Our Compliance, Audit, Risk Control and Cyber Incident Response services have been trusted by organizations in every industry, of every size. ISO/IEC 17020:2012 and FedRAMP certified.

Working Hours

Monday - Friday 09:00AM-16:00PM
Saturday - Sunday CLOSED

info@sera-brynn.com

757-243-1257

Top

CMMC 2.0: The Change, The Delay, and the New Expectations of CMMC

Yesterday the Department of Defense (DoD) released the results of its review of the CMMC 1.0 program. The new standard will be called CMMC 2.0 and they made some really significant changes to the standard.

CMMC 2.0 Model

Figure 1. CMMC 2.0 Changes

The most obvious changes are the simplification of the levels from a total of 5 down to 3 and elimination of the 20 additional maturity level processes. The new CMMC 2.0 Level 1 (Foundational) requirements mirror the requirements of FAR 52.204-21 and will require an annual self-assessment (and possibly attestation of compliance status). The new Level 2 (Advanced) directly aligns to the 110 practices of NIST SP 800-171 and the type of government information involved will determine the assessment (and possibly attestation) requirements and if a third-party assessment is required. The new Level 3 (Expert) builds on the new Level 2 and adds the additional requirements from NIST SP 800-172, and all Level 3 assessments will be led by a government team.

 

With the significant changes made in the model, the government has suspended the CMMC 1.0 pilot program, and no contracts will include any CMMC 2.0 language until the rule making process has been completed. This is estimated to take from 9 to 24 months. While the CMMC compliance aspect has been delayed in the near term, all the existing cybersecurity requirements found in DFARS 252.204-7012, DFARS 252.204-7019, and DFARS 252.204-7020 still apply and will be evaluated during proposal evaluation and contract quality assurance monitoring.

 

If your company is a DoD contractor and you have contracts with the cybersecurity clauses listed above, you will need to provide adequate security on all your covered information systems. To do this you will need to:

  • Establish a System Security Plan and document those security requirements not implemented and develop plans of actions and milestones (POA&M) to implement them.
  • Conduct a basic self-assessment of your information system once every 3 years in accordance with the NIST SP 800-171 DoD Assessment Methodology and post your scores to Supplier Performance Risk System (SPRS).
  • Review and rapidly report any cyber incidents you discover.
  • Ensure your cloud service provider (CSP) meets security requirements equivalent to those established by the Government for the FedRAMP Moderate baseline if they store, process, or transmit CDI. The CSP must also meet requirements DFARS 252.204-7012(c) thru (g).

 

The existing cybersecurity DFARS clauses and the recent changes in CMMC 2.0 emphasize the critical need for companies in the Defense industrial base (DIB) to get their cybersecurity house in order as soon as possible.  It is not a time to wait for the final rule making before examining your cyber risk reduction practices. Do something now. Develop your plan and then execute it.

 

If you don’t know where to get started, we can help. Sera-Brynn offers services to help you to implement the requirements listed within DFARS 252.204-7012 and our experts can help you to conduct a self-assessment as required by DFARS 252.204-7019.

 

References: 


Spooky - Sera-Brynn's mascotAbout Sera-Brynn

Founded in 2011 by former members of the U.S. intelligence community, Sera-Brynn partners with some of the world’s most respected and recognized brands to help them secure their infrastructure and meet cybersecurity compliance requirements. Sera-Brynn has invested in our capabilities and is proud to be only one of seven companies worldwide that hold certifications as both a Federal Risk and Authorization Management Program (FedRAMP) Third Party Assessment Organization (3PAO) and a Payment Card Industry (PCI) Qualified Security Assessor (QSA). We use these and other individual advanced certifications (CISSP, CEH, i.e.) to help companies develop cybersecurity programs to meet Federal and Commercial Compliance Requirements (800-171, DFARS 7012, CMMC). Our experts, with their specialized comprehensive experience, will solve your most complex cyber challenges.

 

Additional Information:

Follow Us: Twitter | LinkedIn | YouTube | Facebook

Contact us at 1-757-243-1257 or info@sera-brynn.com