DoD Contractors and Subs Need to be Pro-Acting Now

The Department of Defense submitted its new version of the Cybersecurity Maturity Model Certification, CMMC 2.0, into the federal rulemaking process in July 2022. Today, as then, the interim final rules for CMMC 2.0 are expected to be published in the next few months (estimate is June 2023). Following a 60-day final comment period, CMMC 2.0 is estimated to become law in 2024 as part of the Code of Federal Regulations (CFR) Titles 32 and 48.

Although there has been a small extension, the process of CMMC 2.0 implementation is estimated to take 12 months. It cannot be disregarded or outwaited any longer—at least by any contractor who wants to remain in the U.S. defense industrial base and continue to work with the DoD.  

If you handle Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) as part of your contractual work with DoD, you will be required to demonstrate compliance with the CMMC 2.0 cybersecurity framework in order to maintain your contract.

CMMC 2.0 requirements will begin appearing in DoD contracts in May 2023, and are expected to be incorporated into all contracts by October 2025, according to the latest DoD estimate. With so much at stake, many larger contractors are already becoming certified to the new requirements.

The Scope of Impact

According to DOD CIO, the Cybersecurity Maturity Model Certification program is designed to enforce the protection of sensitive unclassified information that is shared by the DoD with its contractors and subcontractors. The program provides the DoD increased “assurance that contractors and subs are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information (CUI)”.

More than 200,000 contractors and their subs comprise the extensive DoD supply chain, also known as the defense industrial base. Almost three-quarters of these organizations (74%) are small subcontractors and suppliers, with varying degrees of cybersecurity and information security safeguards in place. Pentagon officials estimate this number at approximately 80,000.

DoD contractors, subs, and suppliers are required to become more secure and to protect their information more effectively against data breaches, ransomware, and other cyber threats from hackers and adversarial nation states. While the DoD itself maintains extremely robust protections, one weak link in its contractor network can jeopardize the entire DoD supply chain.

Top Three Benefits of the New CMMC

Cybersecurity Maturity Model Certification 2.0 replaces CMMC 1.0 with one objective being to promote greater security with less complexity. There are many exciting changes in the new and improved version, and these are a few of the benefits.

• Substantially streamlines and clarifies compliance requirements and eliminates the complexity that was so daunting for the small and medium-sized suppliers who comprise nearly 75% of the contractor network.
• Reflects a complete restructuring of the model’s cybersecurity maturity levels—eliminating two of the original five levels to simplify compliance and assessment. It also improves assessment protocols to help reduce costs for contractors.
• Creates a more flexible path to certification with the introduction of Plans of Action & Milestones (POA&Ms).

New Compliance Levels at a Glance

Three maturity levels correspond to the type of information a defense contractor, sub, or supplier is responsible for. Both CUI and FCI are required to be protected by the provisions of CMMC 2.0.

Controlled unclassified information (CUI) is defined as very sensitive information deemed to be “pertinent to our national interests, or pertinent to the important interests of entities beyond the federal government.”

Federal contract information (FCI) is “provided by or created for the DoD under a contract to develop or deliver a product or service to DoD. It is not intended for public release.”

All contractors are required to be certified at one of three levels of certification now available with CMMC 2.0. CMMC assessment requirements vary based on the level of certification needed.

Assistance is available to aid in understanding the requirements for CMMC 2.0 implementation in your organization, and Registered Provider Organizations (RPOs) have been authorized to assist you in preparing for the mandatory CMMC assessments.

To determine which level of compliance you must achieve, it is vital to understand the three levels as outlined below.

Level 1. Foundational – Annual Self-Assessment

This level of compliance is required for all contractors who handle FCI, or federal contract information—which is essentially all contractors. Level 1 is likely to be the only level of compliance required of the smallest suppliers and subs who comprise 74% of the supply chain.

At this level, annual self-assessments are required to demonstrate compliance with 17 security practices listed in the Federal Acquisition Regulation (FAR) 52.204-21.

Level 2. Advanced – Third-Party Assessments Tri-annually

This level focuses on protecting CUI or controlled unclassified information and is based on 110 security practices in the NIST SP 800-171 standard.

Level 2 requires contractors to pass a compliance assessment conducted by an authorized CMMC Third-Party Assessment Organization (known as a C3PAO). This level requires third-party assessments every three years where critical national security information is in play, and annual self-assessments in select cases.

Level 3. Expert – Government-Led Assessments Tri-annually

This level of compliance is required for all contractors who handle CUI that is used in the DoD’s highest priority programs. Most defense industry leaders must meet the requirements at this level, which are based on the 110 security practices in the NIST SP 800-171 standard as well as additional security practices in NIST SP 800-172.

Because this level requires the most stringent security, assessments are only needed every three years and the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) must be engaged in this process.

Steps You Should Be Taking Now

If you are currently certified to CMMC 1.0, your next scheduled assessment will likely be part of the CMMC 2.0 implementation. Start planning now to make that move as seamless as possible. The following steps will help you achieve the required level of certification efficiently and cost-effectively.

Step 1: Determine Your Compliance Level

Review the three levels of CMMC 2.0 compliance and determine which applies to your organization. This decision will determine the level of assessment and certification you need based on the type of information you handle (FCI, CUI, or CUI for high-priority projects). It will also determine what resources you are required to use in seeking certification.

If you prefer to wait until CMMC 2.0 is implemented, the DoD will specify your required CMMC compliance level in its solicitation. Of course, taking this reactive approach will shorten the time you’ll have to achieve compliance and be certified.

Step 2: Identify Your Security Gaps

Conduct an assessment to identify the current gaps in your security program that prevent you from being compliant with CMMC 2.0 requirements at your level. For Level 1, your assessment will need to be conducted against the FAR requirements or, at Level 2, against the NIST SP 800-171 requirements.

To conduct these assessments, you will need to engage a Registered Provider Organization (RPO). Contractors at Level 3 will work with the DIB Cybersecurity Assessment Center.

Step 3: Remediate the Gaps

Prepare a remediation plan to address the gaps and execute that plan to bring your security program into compliance. You will need to create a Plan of Action & Milestones (POA&M) to document remediation actions to be taken, identify the resources required to accomplish those actions, and establish milestones (with scheduled completion dates) for the tasks.

This step will likely include vulnerability assessments and penetration testing, development of compliant policies and procedures, and other activities. A System Security Plan (SSP) may also be required based on your compliance level.

Step 4: Officially Assess Your Compliance

After gap assessment and remediation, your security program should be in compliance with the requirements applicable at your CMMC 2.0 level. This proactive move toward CMMC 2.0 implementation puts you in the perfect position to conduct an official assessment for certification. Having done your preparation first, your final official steps will be much more efficient.

Level 1 contractors will conduct an annual self-assessment against the CMMC 2.0 compliance requirements that apply to them. Results will need to be submitted, with an annual affirmation by a senior executive of your organization, into the Supplier Performance Risk System (SPRS).

Level 2 contractors will engage an accredited C3PAO, or a certified CMMC Assessor acting on behalf of the C3PAO, to conduct a third-party assessment every three years, with all necessary documentation. Level 3 contractors will engage with the DIBCAC for assessments every three years. Upon successful completion of assessment and certification, your organization will be able to perform contract work for the DoD, including bidding on new contracts and contract renewals.

Additional Information

Treatment of completed assessments. The DoD will store all assessment results in the Supplier Performance Risk System. CMMC certificates and associated third-party assessment data will be stored in the CMMC Enterprise Mission Assurance Support Services (eMASS) database. CMMC assessment results will not be made public. Additional information is available in published DoD FAQs.

Your responsibility doesn’t stop here. You will need to continue to protect the FCI and CUI in your care in order to maintain DoD supply chain security. Ongoing compliance requires that you continue to monitor your systems, networks, and security safeguards to maintain a robust security posture between assessments. You should also stay abreast of cybersecurity trends, new information security tools, and emerging threats to maintain your cybersecurity awareness.

Summary

To protect against data breaches and information security incidents, the DoD requires its extensive supply chain to comply with the new Cybersecurity Maturity Model Certification, version 2.0. This model imposes a set of cybersecurity requirements at three different levels, based on the type of information contractors handle during their work with DoD.

Very soon, in May 2023, those requirements will begin appearing in DoD contracts, and are expected to be incorporated into the last contracts by October 2025. CMMC 2.0 implementation will be complete across the defense industrial base.

Given the high stakes, some larger contractors have already become certified to the new requirements and others are in the process. For all contractors, subs, and suppliers, a proactive approach to adopting the new model seems to be the smartest strategy.

Important Note: 24By7Security is an authorized RPO and is listed as such in the Marketplace on the Cyber AB website. We are able to assist contractors, subs, and suppliers in the journey to CMMC 2.0 implementation , compliance, and certification. You can learn more about our CMMC 2.0 services on the 24By7Security website.