REGULATORY Compliance

The strongest security, best economics and fastest deployment to comply with
regulatory requirements

 

New standard for DoD compliance

The Department of Defense (DoD) created Cybersecurity Maturity Model Certification (CMMC) to better defend the vast attack surface that the Defense Industrial Base (DIB) sector presents to adversaries.

CMMC combines existing cybersecurity control standards such as NIST SP 800-171, DFARS Clause 252.204-7012, CFR 52.204-21, and others, into one unified standard for cybersecurity and maps them across the five CMMC maturity levels.

CMMC measures a company’s ability to protect FCI (Federal Contract Information) and CUI (Controlled Unclassified Information). All of the approximately 300,000 vendors that make up the DoD supply chain must achieve the maturity level appropriate to the sensitivity of the information they handle for DoD.

Businesses not regulated by CMMC also use the control standards to establish best practices for data protection.

LockDown’s Compliance with CMMC

LockDown’s Compliance with NIST 800-171

LockDown ensures compliance

LockDown’s secure communication platform supports compliance with virtually all the CMMC and NIST 800-171 mandates for protecting FCI and CUI related to:

  • Access Control
  • Audit and Accountability
  • Identification and Authentication
  • Media Protection
  • Recovery
  • Risk Management
  • Systems and Communications Protection

Built upon some of the world’s most advanced encryption and key handling technology, LockDown ensures compliance, visibility and data control while preventing spoliation and leakage.

With LockDown, policy is automatically enforced through technology – thereby eliminating the challenges of password management, manual data retention and other problems subject to user error and/or insider threat.

LockDown adheres to each of the fundamental cybersecurity principles outlined above, beginning with the gold standard of end-to-end encryption to protect messages and files – even in the event of a network or server breach in which administrators are compromised.

LockDown adheres to the fundamental cybersecurity principles of:

  • Controlled access
  • Distributed encryption keys
  • Encrypted activity logs
  • End-to-end encryption
  • Key-based authentication (password free)
  • Secure cloud-based service

With LockDown, all messages and files are encrypted on-device, preventing risk even in the event of a network or server breach.

Messaging

LockDown messaging lets you send and receive encrypted messages on smartphones (iPhone and Android) and computers (Windows and Mac) through the LockDown app – a secure, containerized communication environment. Messages are independently encrypted on-device, stored privately and securely in the cloud (AWS) and shared with end-to-end encryption.   Messages are never stored on any device – so there is no breach if a device is lost or stolen.

Unlike Microsoft Office 365 and Gmail, which always have access to your data, only you and the people with whom you’ve explicitly shared messages can decrypt them.

File Sharing

With LockDown, files are independently encrypted on-device, stored privately and securely in the cloud (AWS) and shared with end-to-end encryption. When a file is uploaded to LockDown, an encrypted copy is created and assigned permissions, including whether that file may be exported/downloaded, printed, copied/pasted, and watermarked (including the recipient’s name and phone number and/or a custom message such as “Confidential CUI”). Files are never stored on any device – so there is no breach if a device is lost or stolen. There is also no need to santitize a device when it goes out of service.

Unlike Box, OneDrive, Google Drive, and DropBox, which always have access to your data, only you and the people with whom you’ve explicitly shared files can decrypt and read them.

Elimination of passwords

Instead of relying on passwords, LockDown authenticates users via Multi-factor Authentication (MFA) that includes a large, strong cryptographic key that is automatically created and stored on each users’ smartphone plus a short PIN selected by the user (that is not stored on the phone).

Replacing passwords with cryptographic keys eliminates the many significant security risks that flow from phishing and password-guessing attacks, including the use of compromised passwords for unauthorized access and malicious activity. And because the unique keys are stored on each user’s smartphone, there is no one central point of attack for hackers to target.  The short user-selected PIN (that is not stored on the device) prevents a lost or stolen device from being used. If the PIN is incorrectly entered 5 times, the account is locked until confirmed by the organization.

Administration console

Using LockDown’s Admin Console, IT administrators can create, modify, and delete users and groups, as well as set organization-wide data and recovery policies.

Data is never stored on the users’ device, thereby mitigating the risk of lost of stolen devices, and IT administrators can revoke users’ access quickly. Even though all messages and files are encrypted, admins have the tools they need to manage and access their organization’s data. They can view and securely share immutable activity logs with authorized parties. Admins are only permitted to view data that is specifically shared with them.

Cloud-based service

Some organizations have grown increasingly distrustful of cloud-based solutions for data storage. LockDown’s patented encryption technology gives organizations the best of both worlds: end-to-end encryption that is even more secure than on-premise deployments, combined with the cost, scalability and agility of the cloud.

LockDown runs on Amazon Web Services (AWS), which provides the foundation for many of the controls required to process and store CUI.

End-to-end encryption ensures that no one but intended recipients – not even LockDown or AWS – can ever access user data.

Messaging and file sharing compliance

In contrast to Microsoft and Google services, LockDown makes it easy to comply with CMMC rules for handling CUI. Microsoft Office 365 does not meet CMMC’s demands for securing email and files.

One option is Microsoft’s GCC High service, which is expensive per user, must be deployed across an entire organization, and requires a fork-lift upgrade to mail and file servers.

Google’s standard Gmail platform also doesn’t comply with CMMC requirements for securing CUI.

Alternatively, LockDown addresses requirements for CUI at a fraction of the cost, can be deployed only to users who handle CUI, and can be implemented in less than 20 minutes. See Appendix B, Comparison of LockDown vs. Alternatives, for a comparison of LockDown and Microsoft GCC High.

Data retention

LockDown ensures that data can be effortlessly created, traced and retained. Data is encrypted and stored on AWS, and is never stored on end-points. Admins may establish and maintain configurations to ensure data cannot be destroyed by end users and, instead, can be archived and retrieved by authorized parties. For FCI data that requires sanitization or destruction, authorized parties may do so.

Ease of use

LockDown is easy for end users to adopt because the user experience is similar to text messaging on smartphones and Slack or Microsoft Teams on computers, ensuring a short learning curve and quick adoption.

Frequently Asked Questions (FAQ)

The Department of Defense (DoD) created CMMC to better defend the vast attack surface that the Defense Industrial Base (DIB) sector presents to adversaries.

CMMC measures a company’s ability to protect FCI (Federal Contract Information) and CUI (Controlled Unclassified Information).

The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.

All of the approximately 300,000 vendors that make up the DoD supply chain must achieve the maturity level appropriate to the sensitivity of the information they handle for DoD.

CMMC combines existing cybersecurity control standards such as NIST SP 800-171, DFARS Clause 252.204-7012, CFR 52.204-21, and others, into one unified standard for cybersecurity and maps them across the five CMMC maturity levels.

Federal Contract Information (FCI) is information, not intended for public release, that is provided by or generated for the Government. This information is typically provided under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui and includes the following organizational index groupings:

  • Critical Infrastructure
  • Defense
  • Export Control
  • Financial
  • Immigration
  • Intelligence
  • International Agreements
  • Law Enforcement
  • Legal
  • Natural and Cultural Resources
  • NATO
  • Nuclear
  • Privacy
  • Procurement and Acquisition
  • Proprietary Business Information
  • Provisional
  • Statistical
  • Tax

 

Resources, including online training to better understand CUI can be found on National Archives’ website at https://www.archives.gov/cui/training.html

DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

CMMC builds upon existing DFARS 252.204.7012 regulations rather than replacing them. CMMC adds a verification component to DFARS so that companies are no longer able to self-attest to their cybersecurity compliance.

CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 rev1. CMMC incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.

Unlike NIST SP 800-171, the CMMC model possesses five levels. Each level consists of practices and processes as well as those specified in lower levels.

In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s institutionalization of cybersecurity processes.

The biggest change from previous practice is the shift from self-assessment of cybersecurity compliance to required external audits. All contractors will need to be certified by a CMMC Third Party Assessment Organization (C3PAO) at the CMMC maturity level appropriate to their DoD work . In the past noncompliance with DoD security regulations was acceptable as long as companies prepared POAMs (Plans of Action and Milestones) outlining how they would address deficiencies. That will no longer be the case under CMMC.

The timetable for implementation of CMMC is rapid. DoD is aiming to add CMMC requirements to RFPs by Fall 2020. It is expected that the requirements will be phased in, starting with companies that handle CUI associated with DoD critical programs and technologies. Once in effect, CMMC certification will be the basis of a “go/no go” decision for DoD contracts.

Companies that work with or generate CUI will need to achieve CMMC Level 3 at a minimum, which most likely will mean that they will need to strengthen the security of their email communications, file sharing, and storage. Note that if your business has migrated to the cloud, standard commercial cloud services such as Microsoft Office 365 and Gmail are not CMMC compliant.

Determine the appropriate CMMC level for your company. Companies that only handle FCI will need to achieve Levels 1 or 2. Any company that handles CUI will need to achieve at least Level 3. Higher Levels 4 and 5 will focus on reducing the risk of advanced persistent threats (APTs) and are intended to protect CUI associated with DoD critical programs and technologies.

Examine the current state of your cybersecurity and identify gaps between your organization’s capabilities and the requirements for the maturity level you seek. Develop a plan to help guide you toward closing gaps and implementing needed IT systems and processes.

Select a C3PAO to certify your organization. C3PAOs are expected to be trained, accredited and ready to certify businesses beginning in mid-2020.

The CMMC Accreditation Body (AB), a non-profit, independent organization, will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. The CMMC AB will provide the requisite information and updates on its website (www.cmmcab.org).

The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved C3PAOs as well as other information. After the CMMC Marketplace is established, DIB companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.

 

Under CMMC, self-certification is no longer possible. DIB companies are encouraged to complete a self-assessment prior to scheduling a CMMC assessment.

No. If a company is not CMMC certified, it cannot participate in an RFP for the DoD. Specifically, the DoD intends to identify the required CMMC level in RFP sections L and M, and use responses there as the basis of a “go/no go” decision.

DoD intends to identify the required CMMC level in RFP sections L and M, and use responses there as the basis of a “go/no go” decision.

All companies conducting business with the DoD must be certified. Starting in June 2020, all new Department of Defense contracts will require contractors – including subcontractors – to have a Cybersecurity Maturity Model Certification (CMMC).

In general, a CMMC certificate will be valid for 3 years.

Yes, so long as your company does not solely produce COTS products, it will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowed down from your prime contractor.

Yes. All companies conducting business with the DoD must be certified. The level of certification will depend on the type of information the company handles.

The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.

Yes. All contractors are responsible for the CMMC compliance of their participating companies in their supply chain.

Solution Benefits

SECURITY

Persistent encryption safeguards confidential documents and private communication.

CONTROL

Expirations, watermarks and screenshot notifications ensure content remains private.

COMPLIANCE

Encryption, powerful access controls, and detailed audit trails ensure compliance with regulations.

EASE OF USE

LockDown takes minutes to set up, is very intuitive and is completely password-free.

Schedule a Demo

See how LockDown can help you secure, protect and control confidential information and private communication.