Justin Sloan

I’m not a compliance professional. I’m just an IT guy doing the work inside a TSP.

3 minute read

So you provide transportation services for military household goods – moving families when they PCS (Permanent Change of Station)? That’s a valuable service, and likely a big part of your business. But keeping those contracts is getting a little more complicated. You’ve probably heard the term “CMMC” floating around, and it’s something you need to understand.

This post will break down CMMC in plain language and explain what it means for you as a transportation service provider.

What is CMMC?

CMMC stands for Cybersecurity Maturity Model Certification. Basically, the Department of Defense (DoD) realized that protecting sensitive unclassified information (like details about troop movements, family locations, etc.) requires a standardized approach to cybersecurity. They’re raising the bar, and CMMC is how they’re doing it.

Think of it like this: before, just saying you had good security might have been enough. Now, the DoD wants proof. CMMC isn’t just about having a firewall or antivirus software. It’s about building a whole system of cybersecurity practices, documented and verified.

Why Does CMMC Matter to My Transportation Business?

If you work with the DoD, or even sub-contract with companies that do, you’ll need to meet CMMC requirements to continue winning bids. The DoD is starting to enforce these requirements, and contracts are at risk if you’re not compliant.

Specifically, the type of data you handle – things like shipping manifests, origin/destination information, and even contact details – falls under the umbrella of Controlled Unclassified Information (CUI) that the DoD needs to protect. Even seemingly harmless information can be pieced together to create a bigger security risk.

What CMMC Level Do Transportation Providers Need?

This is where it gets a more specific. For most household goods transportation providers, you’ll likely need to achieve CMMC Level 2.

Here’s a simplified breakdown of what Level 2 means:

  • Basic Access Control: You need to control who has access to your systems and data. Think strong passwords, multi-factor authentication where possible, and limiting access to only what people need to do their jobs.
  • Fixed Media Protection: Protecting data on things like laptops, hard drives, and even USB drives. This means things like encrypting data, having policies for handling removable media, and securely wiping data when devices are retired.
  • CUI Protection: This is the big one. You need to be able to identify, protect, and properly dispose of CUI. This involves things like marking documents appropriately, having policies for handling sensitive information, and knowing how to respond to a data breach.
  • Account Management: Tracking and managing user accounts, disabling accounts when people leave the company, and ensuring everyone has the appropriate permissions.
  • Incident Response: Having a plan for what to do if a security incident occurs – a breach, a ransomware attack, etc.

What Do I Need To Do Now?

  1. Self-Assessment: The first step is figuring out where you stand. The CMMC Program Management Office offers a Level 2 Assessment Guide that can help you identify gaps in your current security practices. I am also in the process of putting together a guide.
  2. Implement Security Controls: Based on your self-assessment, start implementing the necessary security controls. This might involve updating software, creating new policies, and training your employees.
  3. Documentation is Key: CMMC isn’t just about doing the right things; it’s about proving you’re doing them. Document everything! Policies, procedures, training records, audit logs – you’ll need it.
  4. Consider a Certified Third-Party Assessor: If you don’t have a robust internal IT department, you may need the assistance of an independent assessor. They’ll verify that you’ve implemented the necessary controls and that they’re working effectively.
  5. Stay Updated: CMMC is an evolving framework. The DoD is constantly refining the requirements, so stay informed about the latest changes. This website is intended to help with that.

Resources to Help You:

Don’t wait! Getting CMMC compliant takes time and effort. The sooner you start, the better prepared you’ll be to maintain your valuable contracts with the DoD and continue providing vital services to our military families.

Tags:

Updated:

You may also enjoy

Why are they making us do this?

2 minute read

I get it. As TSPs, we move household goods. Our military contracts deal with futons and family mementos, not highly classified defense projects. CMMC seems l...