Last Updated on June 29, 2021
Government staffing agencies may not handle the same types of sensitive data that manufacturers and other firms in the US Department of Defense (DoD) supply chain typically do. But you’ll still need to meet the Cybersecurity Maturity Model Certification (CMMC) requirements your contract specifies.
In fact, a growing number of staffing companies are being asked to comply with CMMC Level 3—the level required to process Controlled Unclassified Information (CUI). Why? Because a number of CMMC Level 3 controls have been deemed legitimately “in scope” for their environments.
If this is your fate, it’s not all bad news. CMMC Level 3 certification could be a big competitive differentiator for future government contracts.
Further, you may be able to strategically “right-size” your CMMC Level 3 compliance effort, as Pivot Point Security CISO and Managing Partner, John Verry, explains in a recent episode of The Virtual CISO Podcast. This show focuses specifically on what government staffing agencies need to know about CMMC.
“The way you would handle this if you were going to proceed towards CMMC Level 3, and you thought many of the controls didn’t make sense for you to implement… To do that properly, you conduct a risk assessment,” shares John. “You say which risks are in play and which aren’t. And then you use that [risk assessment] to substantiate why certain controls are not applicable in your environment.”
“And that would get documented in your System Security Plan (SSP),” John continues. “An SSP is a plan to provide a system. A system doesn’t necessarily need to be one PC or one application. It’s a collection of assets that support the operation of a particular function. What you’re saying in that particular case within your SSP is, ‘Hey, we’re receiving this data from these entities. That data is being processed in these locations, on these IT assets, touched by these people. And here are the stakeholders.’”
“You’re defining all of the context relating to that data,” clarifies John. “And then you’re documenting each of the 130 [CMMC Level 3] controls that you’re responsible for… How each control a) meets the CMMC requirements; and b) effectively manages the risk associated with the data within the context that you’ve outlined.”
“For example, if you have no systems that store, process or transmit CUI, could you make the argument that you don’t need to have a log management solution? That your log management solution doesn’t have to address these issues, so it’s not required?” says John. “Yes. You could make that logical argument. So you’d go through each control and say, ‘Here’s how we’ve implemented this.’ Or if you haven’t implemented it, here’s why.”
What CMMC Level 3 controls might be in scope for a typical SMB staffing firm?
John cites this scenario:
“Let’s say that you get to a point where you’re mostly [putting] bodies on bases. And you don’t think [sensitive] data’s going to be in our environment or there’s an insanely limited amount. And let’s say that you look at the risks and you say, ‘The physical security of our office is something we really need to account for.’ And also, employee background screening and security education. Minimally, even if you’re not responsible for the screening and education of the people that are going into the agencies on your behalf, [you might be responsible for] your own employees who are actually interacting with FCI and perhaps interacting with CUI.”
If you’re facing CMMC Level 3 compliance and want strategic guidance on how best to move forward, you’ll definitely appreciate this one-of-a-kind podcast episode with John Verry.