CMMC Consulting In Washington DC, Maryland And Virginia
If you work with the DoD, then you’re on the clock to comply with CMMC — do you know what’s involved, and what it means for your organization?
Late in 2021 and refined in 2022, the first version of the DOD’s Cybersecurity Maturity Model Certification (CMMC) laid out new cybersecurity requirements for contractors like yours. The intention is to continually provide more accurate and more effective insight into modern cybersecurity best practices for organizations involved with DOD operations.
If you are a government contractor, you’ve probably heard about CMMC by now, but you still might not be sure if it applies to you. Check out our latest video to explore the basics of CMMC compliance.
What Is CMMC?
CMMC is the DOD’s way of certifying its contractors’ abilities to protect the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared within the supply chain.
This builds upon the requirements set out by the Defense Federal Acquisition Regulation Supplement (DFARS), Code Of Federal Regulations (CFR), and National Institute of Standards and Technology (NIST) guidelines (namely, 800-171 of the latter).
The DOD relies on external contractors and suppliers like you to carry out a wide range of tasks. Sensitive data that is shared with you must be protected. The fact is that inadequate safeguards for this sensitive data may threaten America’s National Security and put our military members at risk.
The DOD has implemented a basic set of cybersecurity controls through DOD policies and DFARS. These rules and clauses apply to the safeguarding of contractor/supplier information systems that process, store or transmit Controlled Unclassified Information (CUI).
These security controls must be implemented at both the contractor and subcontractor levels based on information security guidance developed by the National Institute of Standards and NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations”.
Who Does CMMC Apply To?
If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. Anyone operating in the DOD supply chain must become certified to showcase that they’re able to protect controlled unclassified information (CUI).
What Organizations Need To Meet CMMC Requirements?
The Department of Defense’s CMMC 2.0 program will use a tiered approach to contractor assessments, as illustrated below. DIB companies will be required to undergo third-party assessments for CMMC compliance based on the type of information they are working with.
This tiered approach will allow the DoD to focus its resources on those contractors who handle the most sensitive information. The CMMC 2.0 program is a significant improvement over the previous version, which did not consider the different types of information that contractors work with.
This new approach will make it easier for the DoD to ensure that its contractors are compliant with its cybersecurity requirements.
To meet Level 1 requirements for Federal Contract Information (FCI), a company does not need to go through third-party certification. Instead, the contractor must be able to specify the people, technology, facilities, and external providers within their environment that process, store or transmit FCI. In addition, companies will be required to self-certify once per year that they meet the basic safeguarding requirements for FCI specified in FAR clause 52.204.21. By taking these measures, companies can ensure that they are meeting the requirements for FCI and can avoid the costly and time-consuming process of third-party certification.
The Department of Defense (DoD) has announced an update to its requirements for contractors handling Controlled Unclassified Information (CUI). Previously, the DoD had stated that it would bifurcate level 2 requirements. Still, the new update will require all Level 2 defense contractors to undergo third-party assessments once every three years. These assessments will be conducted only by accredited CMMC Third Party Assessment Organizations (C3PAOs) or certified CMMC Assessors. The DoD believes that this change will improve the security of CUI and help to prevent any potential data breaches. Contractors who are non-compliant with the new requirements may face significant penalties, including the loss of their government contracts.
The CMMC 2.0 Assessment Guide is expected to be released in the coming months, at which point the CMMC Accreditation Body (CMMC-AB) will resume training C3PAOs, CMMC Assessors, and CMMC consultants. Contractors will be fully responsible for obtaining and coordinating the necessary assessment and certification. The guide’s release will mark an important milestone in the transition to the new Cybersecurity Maturity Model Certification (CMMC) framework. The new guide is designed to provide a more streamlined and user-friendly assessment process and improve upon the existing certifications offered by the CMMC-AB. With the release of the new guide, the CMMC-AB will be able to provide a more comprehensive training program for those who wish to become certified under the new framework. In addition, the release of the guide will also allow contractors to understand better their responsibility in obtaining and coordinating the necessary assessments and certification.
After a CMMC assessment has been completed, the C3PAO will provide an assessment report to the Department of Defense. The requirements for Level 2 completely align with the standards set by NIST SP 800-171. Self-assessment of compliance with NIST SP 800-171 has been required since 2017 for contractors who are subject to DFARS 252.204-7012. In addition, as of November 2020, scores must be reported to the DoD’s SPRS (Supplier Performance Risk System). The assessment report will help the DoD determine if a contractor is capable of meeting the requirements for a particular level of certification. It is important to remember that self-assessment of NIST SP 800-171 compliance is only one part of the CMMC certification process. Contractors who want to achieve a higher level of certification will need to undergo an independent third-party assessment.
Level 3 compliance is the highest level of compliance for companies seeking to do business with the Department of Defense. To achieve Level 3 compliance, companies must meet the security requirements specified in NIST SP 800-171 plus a subset of requirements specified in NIST SP 800-172. The DoD is still in the process of determining how organizations seeking level 3 compliance will be assessed. However, those companies will require a DIBCAC audit to achieve compliance. A DIBCAC audit is an extensive audit that covers all aspects of a company’s security posture. The audit is conducted by experts who evaluate a company’s security policies, procedures, and practices. The audit team also conducts on-site inspections to ensure that a company meets all of the required security standards. Achieving Level 3 compliance is a rigorous process, but it is essential for companies that want to do business with the Department of Defense.
What Cybersecurity Requirement Levels Are Included In CMMC?
CMMC Levels 1 To 3
The Department of Defense (DoD) has announced that it will be making some changes to the Cybersecurity Maturity Model Certification (CMMC) program. In particular, CMMC 2.0 will be dropping the number of CMMC levels from five to three by doing away with the old levels 2 and 4, which were initially developed as transition levels.
The new CMMC 2.0 levels are based on the type of information DIB companies handle. Level 1 is for companies that handle Controlled Unclassified Information (CUI), and Level 2 is for companies that handle CUI and Federal Contract Information (FCI). Level 3 is for companies that handle CUI, FCI, and Critical Defense Information (CDI). This change should simplify the process of achieving compliance with the CMMC for many companies, and it will also make it easier for the DoD to audit and enforce compliance.
Level 1 – Foundational
Level 1 (Foundational) only applies to companies that focus on FCI protection. It is comparable to the old CMMC Level 1. Level 1 will be based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information, and focus on the protection of FCI. These controls protect covered contractor information systems and limit access to authorized users. The objective of these controls is to implement measures to prevent unauthorized access or use of FCI and minimize the risks associated with such access or use. Level 1 represents the minimum acceptable level of security for all covered defense contractor organizations. All controlled unclassified information (CUI) within a company’s environment must be safeguarded in accordance with applicable laws, regulations, and standards. Organizations must have formalized security policies and procedures that address the least privilege, need-to-know, separation of duties, mandatory vacations, and other relevant security topics.
All employees and contractors who have access to FCI must receive security awareness training on an annual basis that covers topics such as basic security hygiene, email and internet usage, social engineering, and physical security. In addition, all workforce members must complete organization-specific security training before being granted access to FCI. Organizations must also have a plan to respond to and report security incidents.
Level 2 – Advanced
Level 2 (Advanced) is for companies handling CUI and is equivalent to the old CMMC Level 3. The 20 requirements from the old Level 3 that the DoD had mandated are no longer in place, and instead, Level 2 (Advanced) follows the 14 levels and 110 security controls set by NIST SP 800-171. This makes the process simpler and more streamlined, as now companies only have to focus on following one set of guidelines instead of two. In addition, this also means that there is greater uniformity across different businesses handling CUI, as they are all working towards the same goal. As a result, the new Level 2 (Advanced) is a welcome improvement for businesses and the DoD.
Level 3 – Expert
The Department of Defense is focused on reducing the risk from Advanced Persistent Threats (APTs) and has designed Level 3 (Expert) of the Cybersecurity Maturity Model Certification (CMMC) for companies working with CUI on DoD’s highest priority programs. The specific security requirements for the Level 3 (Expert) have not been finalized, but they will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls. In other words, if you want to work on the DoD’s highest priority programs, you’d better be prepared to meet some pretty stringent cybersecurity requirements!
Need Expert Assistance Implementing CMMC?
Don’t drop out of the defense contracting sector just because it’s become more difficult to stay compliant. Investing in CMMC compliance will make you a more valuable contractor for the DoD, and improve your cybersecurity in general.
If you’re looking for guidance, Orion Networks is here to help. We work with DOD contractors throughout the Northern Virginia, Maryland and Washington DC areas, and can assist in developing confident CMMC compliance.