8 Questions About CMMC and Cybersecurity Insurance
1. Do you know what CUI and FCI stand for?
Controlled Unclassified Information (CUI) is “information that requires safeguarding or dissemination controls” that meet any applicable requirements, laws, and policies. Federal Contract Information (FCI) is data that is only intended for sharing with the government, not the public.
2. Do you know the difference between them?
The word safeguarding.
Most CUI is considered FCI, but not all FCI is CUI — and each comes with a different set of requirements regarding security. FCI must meet the basic safeguarding requirements under Federal Acquisition Regulation (FAR) clause 52.204-21, while CUI must adhere to NIST SP 800-171.
If you want to meet compliance with CMMC Level 2, you’ll need to treat your data like CUI.
3. How many security controls are under basic safeguarding cyber requirements?
Fifteen (15).
They represent the minimum requirements for protecting FCI, and will give you a good starting point on your way to meeting CUI-level security. You can read more about them here.
4. Do you know which CMMC practice is considered “Sudden Death” when not enacted?
Failure to limit system access to authorized users (AC.L1-3.1.1). This makes it far too easy for bad actors to compromise your network. Federal contractors must have a System Security Plan (SSP) in place that describes each covered information system, among other safeguards and documentation.
5. Do you know about the CMMC self-assessment and scoring?
Part of CMMC compliance involves taking a self-assessment developed by the Department of Defense (DoD), then submitting your score to the DoD’s Supplier Performance Risk System (SPRS). Sounds simple, right?
Not quite. SPRS scores are subject to audits by the DoD and other agencies for accuracy, and carry significant risk when misreported. During the last round of audits, three-quarters of contractors that claimed to be compliant were found to be in error.
6. Do you know the risks associated with false claims?
Business owners are subject to the False Claims Act, which could result in fines, penalties, and possible disbarment.
7. Do you know how long it takes to meet CMMC compliance?
It often requires changes that can take 12 – 18 months to implement, depending on which processes and procedures you may lack under NIST SP 800-171. This often comes as a surprise to contractor applicants, as many assume it takes as little as 30 – 60 days.
8. Do you know what CMMC-approved resources are available to your team?
If you want assistance preparing for CMMC, look for Cyber AB-certified resources that can help you evaluate your business and map out your journey toward compliance. As a registered provider organization (RPO), Healthcare Resolution Services can identify which NIST requirements your company has not met, and establish Plans of Action and Milestones (POA&Ms) to fulfill them.
Contact us today to discuss a program.