Certification doesn’t have to be hard. AirComply helps your business get and stay certified.
AirComply for Compliance
AirComply helps businesses comply with different voluntary and mandatory information security frameworks. Organizations in certain industries, such as finance, defense, healthcare, and auto dealerships are required to follow certain laws and frameworks or face harsh penalties. Companies that sell to the US Department of Defense (DoD) must become CMMC (Cybersecurity Maturity Model Certification) compliant. Auto dealerships and other financial organizations must abide by the Federal Trade Commission (FTC) Safeguards Rule, which resulted from the Gramm-Leach-Bliley Act (GLBA).
The National Institutes of Standards and Technology Special Publication (NIST) (SP) 800-171 is a framework created and maintained by the US Government. Many organizations voluntarily choose to follow the guidelines set out in the publications to protect their organization from cyber threats. The framework is also the basis for other required frameworks.
AirComply supports businesses seeking to follow the guidance set out in CMMC, NIST, and the FTC Safeguards Rule. Our experts have helped companies become compliant and will work with your team to cover all the bases.
How Does AirComply Help Businesses Like Mine?
AirComply works with you as a trusted partner. We understand each business is unique, and we’re prepared to tackle the challenges businesses face to meet requirements for compliance. Our expert cybersecurity team uses sophisticated software to pull models, identify shortcomings, and modify your systems to ensure they meet best practices and achieve all 110 points required by NIST. We’ll work with you through the audit and beyond to help your business reach and maintain Level 1 to Level 5 certification. We’ll make sure your data is secured to FTC standards.
Once your company is certified, you may choose to expand your cyber protection and IT needs with our other AirProducts.
FTC Safeguard Rule
The GLBA became a law in 1999 after its passage in the US Congress. Part of that law involves protecting consumer information. The enforcement of the law is handled by the FTC and their Standards for Safeguarding Customer Information – aka the Safeguards Rule. The FTC amended the Rule in 2021 to keep pace with current technology. The revised Rule provides updated, concrete guidance for businesses and requires companies covered by the Rule to implement important security measures to keep customer data secure. AirComply can assist your business with compliance. Here’s what you need to know.
According to Section 314.1(b), your business is considered a “financial institution” if it’s engaged in financial activity or incidental to such financial activity. Examples of finders include auto dealerships, mortgage lenders and brokers, “payday” lenders, and others.
The Safeguards Rule requires finders to develop, implement, and maintain a written information security program with administrative, technical, and physical safeguards designed to protect customers’ information.
The program has three main objectives.
Airiam can assist businesses with every step required to comply with the Safeguards Rule. To dive deeper into the specifics of the rule and links to FTC pages, visit our page for cybersecurity for auto dealerships.
Cybersecurity Maturity Model Certification (CMMC)
If your organization works as a vendor for a company that has DoD contracts, or if you work directly with DoD information, your company will soon be required to be CMMC compliant. CMMC is designed to ensure that defense contractors and vendors who support them meet a basic level of cybersecurity that protects sensitive defense information. CMMC compliance ensures proactive and consistent best practices for data security, and organizations that achieve CMMC compliance increase peace of mind and opportunity. AirComply works with your organization to guide you step-by-step to certification.
DoD Contracts are Big Business.
According to the Center for Strategic and International Studies, the DoD spent $421.3 billion in fiscal year 2020 on contracts. The US government takes security seriously. CMMC requirements continue to evolve, and new requirements impacting your business could take effect as early as 2023. Don’t jeopardize your ability to fulfill contracts. Getting certified now will ensure your organization can keep doing business with DoD and their vendors as requirements become more complex.
How Does CMMC Certify Businesses?
The CMMC model has five levels. Each level indicates a higher degree of protection for sensitive information. To reach certification for that level, the organization must also meet all the requirements of the level(s) below. Organizations cannot self-assess and must demonstrate mastery of processes and practices to outside assessors.
Level 1 is designed to safeguard federal contract information and requires careful monitoring of who can access data, how data is destroyed, how data is scanned and monitored to prevent malicious attacks, and other basic safeguards every business should follow. See FAR 52.204-21 for detailed descriptions of requirements.
Level 2 is a transition step into more mature cybersecurity protection to control unclassified information. This level addresses a little more than half of NIST 800-171 controls plus all requirements from Level 1. NIST provides federal agencies with recommended requirements for protecting the confidentiality of controlled unclassified information (CUI) and apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI or provide security protection for such components.
Level 3 covers all NIST 800-171 controls, a few additional requirements, and everything from previous levels.
Levels 4-5 are more involved and reduce the risk of advanced persistent threats using controls from a range of frameworks – CERT RMM v1.2, NIST SP 800-53, NIST SP 800-172, ISO 27002, CIS CSC 7.1, and others.
CMMC clearance level requirements vary, and classifications are set by the project. If your organization doesn’t work directly for the DoD, it may only need a Level 3 clearance or below. If your organization operates with high-value information, it will likely need a Level 4 or higher clearance. The Department of Defense determines whether an organization has the security necessary to work with controlled or otherwise vulnerable data.
NIST SP 800-171 is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). Contractors must implement these recommended requirements to demonstrate they are providing adequate security to protect sensitive information included in their contracts, as required by FAR and DFARS. If a vendor is part of the supply chain of a DoD, General Services Administration (GSA), NASA or other federal or state agencies’ contractor, the vendor must also demonstrate security requirements included in NIST SP 800-171.
NIST tackles access control, awareness and training, auditing and accountability, configuration management, identification and authentication, incident response, maintenance, media and physical protection, personnel security, risk and security assessment, and system communication protection and information integrity. Many organizations choose to implement the framework voluntary since NIST is so thorough.
Airiam helps companies identify where gaps exist in NIST implementation that prevent them from being compliant. Once the gaps are determined, Airiam’s team of experts works with the organization to develop a plan and complete the steps needed to ensure compliance.