Attention Department of Defense (DoD) contractors and subcontractors!
The Compliance Clock is Ticking for DoD Contractors and Subs
If you handle federal contract information (FCI) and/or controlled unclassified information (CUI) as part of your contractual work with DoD, maintaining your contract requires that you demonstrate compliance with the CMMC 2.0 cybersecurity framework.
Failure to comply, or failure to have your compliance certified, will jeopardize your DoD work once the CMMC 2.0 requirement begins appearing in DoD contracts in May 2023.
The CMMC countdown has begun. If you start now, you have just enough time to become compliant and attain certification without risking your contract status.
Compliance is Not Negotiable
As a DoD contractor, subcontractor, or supplier, you will either achieve certified compliance or you will not. Your ability to win DoD contracts will depend on this outcome.
More than 200,000 organizations make up the extensive DoD supply chain. Almost three-quarters of these organizations (74%) are small subcontractors and suppliers, with varying degrees of cybersecurity and information security safeguards in place.
Heightened national security demands that DoD contractors, subs, and suppliers become more secure and protect their information more effectively from data breaches and other cyber threats. One weak link can jeopardize the entire chain.
New and Improved! Top Changes to CMMC 2.0
There are many exciting changes in CMMC 2.0, the new and improved version of Cybersecurity Maturity Model Certification. These are some of the most exciting improvements:
-
Substantially streamlines and clarifies compliance requirements.
-
Eliminates the complicated red tape that was so daunting for small and medium-sized suppliers. (Of course, that doesn’t necessarily mean it’s easy – just easier.)
-
Reflects a complete restructuring of the model’s cybersecurity maturity levels—eliminating two of the original five levels.
-
Improves assessment protocols, which helps reduce costs for contractors.
-
Creates a more flexible path to certification, with the introduction of Plans of Action & Milestones (POA&Ms).
New Compliance Levels at a Glance
Three maturity levels correspond to the type of information a defense contractor, sub, or supplier is responsible for. CMMC 2.0 encompasses these two types of information:
Controlled unclassified information (CUI) is very sensitive information deemed to be “pertinent to our national interests, or pertinent to the important interests of entities beyond the federal government.” As such, CUI requires the protections spelled out in the updated version of the Cybersecurity Maturity Model Certification known as CMMC 2.0.
Federal contract information (FCI) is “provided by or created for the DoD under a contract to develop or deliver a product or service to DoD. It is not intended for public release.” As such, FCI is considered sensitive enough to require the stronger protections enumerated in CMMC 2.0.
To determine which level of compliance you must achieve it is vital to understand these three levels. At a glance, they are:
-
Level 1 – Foundational. This level of compliance is required for all contractors who handle FCI, or federal contract information—which is essentially all contractors. Level 1 is likely to be the only level of compliance required of the smallest suppliers and subs who comprise 74% of the supply chain.
-
Level 2 – Advanced. This level focuses on protecting CUI or controlled unclassified information. Level 2 requires contractors to pass a CMMC compliance assessment, which must be conducted by a CMMC Third-Party Assessment Organization (known as a C3PAO) that has been officially authorized by the Cyber AB (formerly the CMMC Accreditation Body).
-
Level 3 – Expert. This level of compliance is required for all contractors who handle CUI that is used in DoD’s highest priority programs. Many industry leaders must meet the requirements at this level.
Five Great Reasons to Start Now
The CMMC countdown has begun in earnest. CMMC 2.0 is expected to be published in the Federal Register in March 2023, making it officially live and mandatory. DoD contracts will begin to reflect the new compliance requirements 60 days later, in May 2023.
According to the Federal News Network, these are some of the most compelling reasons to begin your CMMC 2.0 compliance initiative today.
-
Defense industry giants, the industry-leading contractors, began adopting the new CMMC 2.0 soon after it was announced in 2020. They have the resources to do so, and a lot to lose if they don’t.
-
Already, these leaders seem increasingly reluctant to continue working with suppliers who are taking no action, preferring instead to work with subs and suppliers who are actively and seriously pursuing compliance with CMMC 2.0.
-
Those who move quickly to implement CMMC 2.0 requirements demonstrate their commitment to securing their data and systems and requiring their partners to do the same. It’s a trust-builder for stakeholders and proves you’re in it to win it.
-
The road to CMMC 2.0 compliance and certification can easily take six months, assuming your existing cybersecurity program is already in great shape. Depending on the extent of necessary upgrades, an organization may need several years to implement CMMC 2.0 requirements. As of today, you have eight months to secure your contractor status before DoD begins adding compliance requirements to contracts in May 2023.
-
Finally, once CMMC 2.0 adoption is in full swing throughout the DoD supply chain, qualified security experts, Registered Provider Organizations (RPO), CMMC Third-Party Assessment Organizations (C3PAO), and other professional resources will be heavily engaged and very difficult to schedule.
Steps to Certified Compliance
There are four primary steps in the journey to CMMC 2.0 compliance, as outlined below.
Step 1 – Gap Assessment
This includes an assessment of current gaps in your security program that prevent you from being compliant with CMMC 2.0 requirements. To know what your requirements are, you must identify the level of certification you need, which is based on the type of information you handle (FCI, CUI, or CUI for high-priority projects).
To conduct your Gap Assessment, you will need to engage a Registered Provider Organization (RPO) authorized by the Cyber AB. This helps ensure that all security requirements are fully addressed at each applicable level.
Step 2 – Remediation
This step includes preparing a remediation plan to address the gaps identified in Step 1, and then executing that plan to bring your security program into compliance. You will need to create a Plan of Action & Milestones (POA&M) to document remediation actions to be taken, identify the resources required to accomplish those actions, and establish milestones (with scheduled completion dates) for the tasks. This step will likely include vulnerability assessments and penetration testing, development of compliant policies and procedures, and other activities. A System Security Plan (SSP) may also be required.
Consider Steps 1 and 2 to be a dress rehearsal for Step 3. Steps 1 and 2 will help you conserve financial and other resources because you will be efficiently guided by your RPO, who will maintain steady focus on your gap assessment and remediation without distractions. |
Step 3 – Compliance Assessment and Certification
In this step, Level 1 contractors will conduct a self-assessment against the CMMC 2.0 compliance requirements that apply to them, and submit documentation as instructed. Level 2 and Level 3 contractors will engage an accredited C3PAO. Level 3 contractors will also undergo an evaluation by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
For Level 2 and 3 contractors, assessment results will be documented, and compliance certification will be awarded assuming a successful assessment. Once this step is complete, you are able to perform contract work for the DoD, including bidding on new contracts and contract renewals.
Step 4 – Optimization
This is an ongoing maintenance phase during which you should stay informed of cybersecurity trends, new information security tools, and emerging threats. Continue to monitor your systems, networks, and security safeguards to improve your security posture in between the required periodic assessments.
Your ongoing focus is on protecting the FCI and CUI you are responsible for in order to keep DoD supply chain security strong.
Summary
To protect against data breaches and information security incidents, the DoD requires its extensive supply chain to comply with the new Cybersecurity Maturity Model Certification, version 2.0. This model imposes a set of cybersecurity requirements at three different levels, based on the type of information contractors handle during their work with DoD.
By May 2023, those requirements will begin to appear in DoD contracts, which means contractors have about eight months to achieve certified compliance with CMMC 2.0 in order to continue bidding on DoD work. The compliance and certification process takes at least six months and could take several years, depending on the current state of cybersecurity in your organization.
Engaging a Registered Provider Organization to help you prepare for CMMC 2.0 compliance is a vital step that should be taken immediately. The CMMC countdown has begun, and the clock is ticking.
Important Note: 24By7Security is an authorized RPO and is listed as such in the Marketplace on the Cyber AB website. We are able to assist contractors at any level in the journey to CMMC 2.0 compliance. You can learn more about our CMMC 2.0 services on the 24By7Security website.