CMMC (Cybersecurity Maturity Model Certification) is a recent move by the U.S. Department of Defence to eradicate cybersecurity risks that could eventually lead to loss of sensitive DoD information to U.S. antagonists. This initiative seeks to bring over 300,000 Defense Industrial Base (DIB) partners into alignment with more enhanced cybersecurity compliance measures.
Since its rollout in early 2020, the CMMC model is yet to take its complete form, as it remains under constant review by the Pentagon. As such, any cybersecurity assessment provider offering your organization a complete solution to CMMC should be taken with a pinch of salt.
In this article, we will break down key aspects that defense contractors must grasp to ensure compliance and eligibility for new government defense contracts. Additionally, we will outline essential steps to establish adherence to the updated CMMC 2.0 framework.
Understanding NIST 800-171 and the DFARS Interim Rule
Any organization engaged in a contract with the Department of Defense must comply with a set of regulations designed to protect controlled unclassified information (CUI). The National Institute of Standards and Technology (NIST) 800-171 outlines cybersecurity standards for safeguarding this information, while the CMMC serves as an assurance that defense contractors meet the necessary requirements for handling controlled unclassified information.
Here’s the twist: the new requirements under CMMC 2.0 are expected to be fully implemented in 2025. In the meantime, the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule was put into effect (until all contractors are required to meet all the 110 controls specified by the NIST SP 800-171 in the near future).
The Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule mandates that defense contractors and subcontractors conduct a cybersecurity self-assessment. It also mandates that DIB supply chain partners satisfy a minimum implementation of some key NIST SP 800-171 controls. The results of the self-assessment are to be documented in the Supplier Performance Risk System.
Essential Requirements of CMMC and DFARS Interim Rule
To understand the intricacies of the CMMC and DFARS Interim Rule requirements, your organization must be familiar with the following key components:
- Self or third-party assessment – Organizations must evaluate their compliance with the cybersecurity requirements outlined in the CMMC, including the 110 controls specified in the NIST SP 800-171 framework. The ability to meet the three levels of assessment (basic, medium, and high) outlined in DFARS determines a contractor’s eligibility for government defense contracts. At minimum, defense contractors and subcontractors must self-assess and meet the level 1 (basic) requirements each year.
- The scoring system – Government contractors and subcontractors handling controlled unclassified information must establish security controls across various areas, such as access control, identification, authentication, incident response, risk assessment, and security assessment. A perfect score represents the implementation of all 110 NIST SP 800-171 controls, while incomplete or partially implemented requirements result in point deductions.
- Score submission timeframe – The results of the self-assessment must be uploaded to the Supplier Performance Risk System within 30 days of completion to be considered for new contracts or contract renewals. In cases where controls are incomplete or partially implemented, organizations must provide a Plan of Action and Milestones (POA&M) document, outlining how these deficiencies will be addressed and the estimated completion dates.
Adhering to the DFARS Interim Requirements will be a determining factor for winning new defense and federal contracts.
Ensuring Eligibility for Defense Contracts
Tightening your cybersecurity posture to meet CMMC standards starts with a thorough self-assessment, which provides an accurate evaluation of how well your internal control measures protect sensitive controlled unclassified information. With the CMMC 2.0 still under review, the DFARS Interim Rule is only expected to take effect as the new framework is set to be fully implemented in all defense contracts by October 2025.
As such, businesses are advised to prepare for the new CMMC framework by implementing the necessary cybersecurity controls as early as now. To better prepare for CMMC 2.0, consider implementing the following measures;
- Assess your current CMMC level – Compliance requirements vary based on the sensitivity of the information handled by the contractor. All contractors must meet minimum (level 1) requirements to qualify for new defense contracts. For contractors that process controlled unclassified information, they must meet the level 2 requirements while companies that handle more sensitive information meet the level 3 requirements.
- Establish your Systems Security Plan – This document outlines the NIST 800-171 controls that your company has implemented in its operational policies and procedures and will form the basis of your certification. At this stage, you want to review how you handle and process controlled unclassified information. Some important questions to ask include who can access and use the information, where it’s stored, and what measures protect it from unauthorized access.
- Document the process – It is important to document every process, from preparation, self-assessment, to remediation. Any gaps/deficiencies identified in your assessment can be addressed in the POA&M document, which essentially highlights the steps that you will take to mitigate the deficiencies.
Understanding and implementing CMMC requirements is a journey involving a series of difficult processes. The new compliance requirements are vast and overwhelming. Partnering with a cybersecurity company can help streamline the entire process. Through our expertise in the cybersecurity space and our advanced tools, our company can help you better understand your cybersecurity obligations as a defense contractor and implement the necessary DFARS Interim Rule and CMMC 2.0 requirements to qualify for lucrative defense contracts.
Download the Infographics
Hear from Philipp Baumann, owner and founder of BoomTech: