The U.S. Department of Defense (DoD) introduced its Cybersecurity Maturity Model Certification (CMMC) program in early 2020. CMMC is a security framework and assessor certification program designed to ensure that all Defense Industrial Base (DIB) contractors meet at least basic cybersecurity requirements for handling Controlled Unclassified Information (CUI), which includes compliance with a variety of standards published by the National Institute of Standards and Technology (NIST).
The DoD announced the second iteration, CMMC 2.0, in November 2021. This new version was designed to streamline the requirements, moving to three levels versus five levels. Requirements mirror NIST SP 800-171 and NIST SP 800-172. And in December 2023, the DoD released its proposed rule to implement the program. If adopted, the CMMC program will require most contractors handling CUI to obtain third-party certification that they have successfully implemented the 110 cybersecurity controls in NIST SP 800-171. Though contractors are already required to comply with NIST SP 800-171, only self-attestation is currently required.
“CMMC 2.0 will require contractors to obtain third-party certification that they have successfully implemented the 110 cybersecurity controls”
Comments on the proposed rule are open until February 26, 2024. The final rule will likely go into effect in early 2025.
CMMC 2.0 and Password Management
One area of cybersecurity that the new CMMC rule addresses is password management. The majority of CMMC’s current security controls are based on NIST 800-171 Revision 2, which was released in 2020. NIST 800-171 Revision 3 is being released in the coming months and includes new requirements for passwords.
Defense contractors will need to adhere to these new requirements, such as changing passwords when they have been compromised and ensuring that new or updated passwords are not on lists of commonly used, expected or compromised passwords.
Weak passwords continue to be a cybersecurity gap that fuels ever-growing threats of compromise and critical data loss. Password managers can help contractors create and store long, random passwords, and make sure each individual login has a different password. They can also help address several of the controls in CMMC 2.0.
Keeper Security Government Cloud: A FedRAMP Authorized Solution
Keeper Security Government Cloud password manager and privileged access manager is FedRAMP Authorized at the Moderate Impact level and provides a comprehensive CMMC package that includes documentation for the controls on password compliance and how DoD contractors can achieve CMMC certification by implementing Keeper’s Enterprise Password Management platform with reporting capabilities.
Meeting CMMC’s security controls requires a combination of people, processes and technology. By implementing KSGC, DoD contractors can address coverage on 26 of the 110 controls in CMMC 2.0.
Keeper has partnered with GRC Academy to create a CMMC reference guide that details exactly which controls KSGC can be used to meet or support. GRC Academy offers a CMMC Overview Course focused on Defense Contractors, and says that the course can save defense contractors weeks of research and set them up for success as they prepare for CMMC.
Using a security platform such as KSGC allows government contractors to enforce and require the adoption of password security and access management best practices. Request a demo today to learn how KSGC can strengthen your organization’s security posture and help with CMMC compliance.