Update on the CMMC
The U.S. Department of Defense (DOD) has recently announced the creation of a new Cybersecurity Maturity Model Certification (CMMC) program. The idea behind this new initiative is to provide a single unified standard under control by a neutral third party that all DoD Contractors will be required to meet in order to submit proposals for future new business. The CMMC will have maturity levels, currently proposed as 1 - 5 that range from “Basic Cybersecurity Hygiene” to “Advanced”, with CMMC Level 1 being the easiest to obtain. All DoD Contractors will be required to pass an assessment/audit to officially obtain their required CMMC Level acknowledgement. To be included in RFPs (June 2020) and new Solicitations (Late 2020).
CMMC Version 1.0 Released January 31, 2020: Learn More >
Secure Software
With approximately 30 percent of all breaches occurring as a result of a vulnerability at the application layer, software purchasers are demanding more insight into the security of the software they are buying. CA Veracode Verified empowers JAMIS to demonstrate its commitment to creating secure software. Organizations that have their secure development practice validated, and their application accepted into the Standard Tier, have demonstrated that the following security gates have been implemented into their software development practice:
- Assesses first-party code with static analysis
- Documents that the application does not allow flaws in first-party code
- Provides developers with remediation guidance when new flaws are introduced
NIST SP 800-171 (DFARS 252.204-7012)
JAMIS has applied the required risk management framework including conducting the activities of security categorization, security control selection and implementation, security control assessment, system authorization, and security control monitoring, and has taken the necessary steps in meeting data security standards and regulations of NIST SP 800-171 and DFARS 252.204-7012 for our customers.
Defense contractors routinely process, store and transmit sensitive federal information to assist federal agencies in carrying out their core missions and business operations. Federal information is also shared with state and local governments, universities and independent research organizations.
To keep this information secure, Executive Order 13556 established the Controlled Unclassified Information (CUI) Program to standardize the way the executive branch handles unclassified information that requires protection, such as personally identifiable information.
JAMIS has performed all of the mandatory procedures to meet the requirements of the DFARS guidelines and meet or exceed the information security requirements established for Department of Defense (DoD) contractors.
SSAE-18 SOC 1 and SOC 2
SSAE (Statements on Standards for Attestation Engagements) SOC (Service Organization Control) reports were created by the AICPA (American Institute of Certified Public Accountants) in order to set compliance standards and keep pace with the rapid growth of cloud computing and businesses outsourcing their services to third-party providers.
The SSAE 18 SOC 1 report focuses on a service provider’s processes and controls that could impact their client’s internal control over their financial reporting (ICFR). The SOC 2 is a separate report that focuses on controls at a service provider relevant to security, availability, processing integrity, confidentiality, and privacy of a system. It ensures that your data is kept private and secure while in storage and in transit and that it is available for you to access at any time.
The SOC 1 and SOC 2 reports come in two forms: Type I and Type II. Type I reports evaluate whether proper controls are in place at a specific point in time. Type II reports are done over a period of time to verify operational efficiency and effectiveness of the controls.
