There has been an alarming rise in the frequency of complex cyberattacks on the Federal Government’s systems and information. Preventing and defeating such attacks and safeguarding sensitive national security information has, therefore, become a top priority for the Federal Government, especially the Department of Defense (DoD).The DoD has launched Cybersecurity Maturity Model Certification (CMMC) as a comprehensive framework to protect the defense industrial base from cyberattacks. It is a program started by the DoD to measure the cybersecurity capabilities, readiness, and sophistication of the defense contractors. It aims to protect sensitive unclassified information shared by the Department with its contractors and subcontractors. More specifically, the main goal of the certification is to secure Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) that is in the possession and use of the government contractors.
Three key reasons that make CMMC necessary are:
- Ransomware and Phishing attacks
- Cyber attacks by foreign governments
- Non-compliance by contractors under a self-declaring model
CMMC incorporates several cybersecurity requirements into acquisition programs that are meant to provide DoD with increased assurance that contractors and subcontractors are meeting these requirements.
In this blog, we explain the Department’s strategic intent with respect to the CMMC program and what it means for small business contractors intending to do business with the DoD. The DoD recently launched CMMC 2.0, making some much-needed changes to the widely debated CMMC 1.0. The Department is currently engaged in rulemaking and internal resourcing as part of the implementation. Therefore, program details as laid out in this blog are subject to change during this process.
What does CMMC mean to Government Contractors?
CMMC seems to be the future of defense contracting, and if Small and Medium Businesses (SMBs) intend to work with the DoD in the future, then preparing for CMMC is important. CMMC 2.0 will be a requirement for contracts once the rulemaking process is completed. Compliance with CMMC will be essential to sign a DoD contract and to continue performing on it. Therefore, organizations that do not obtain a CMMC certification will not be permitted to receive or share the DoD information related to certain programs and projects. However, until rulemaking formally implements CMMC 2.0, the Defense Industrial Base’s (DIB) participation in CMMC will be voluntary.
CMMC is likely to influence a wide range of organizations that do business with the DoD. All federal defense contractors and subcontractors must acquire, process, store, and transmit sensitive information in accordance with the data security regulations of the Department. . Defense contractors must submit cybersecurity assessments to the DoD prior to receiving a government contract as part of the Cybersecurity Maturity Model Certification (CMMC) framework. Furthermore, depending on the sensitivity of the information linked with certain programs or technologies being developed, defense contractors must get and maintain specific certifications under the CMMC for the term of their contracts.
By 2026, every Federal Government contractor will be required to have at least CMMC Level 1. Until then, depending on the contract, only DOD contractors will be required to obtain CMMC Level 1, 2, or 3. CMMC is currently required in seven DOD contracts, and GSA has incorporated CMMC wording in two of its contracts: STARS III and the forthcoming Polaris GWAC. The framework, designed to increase cyber hygiene through the maturation of practices and processes, will impact the $712Bbn Defense industry, which is 3.2% of the Gross Domestic Product of the United States of America.
The Journey So Far: Recent changes from CMMC 1.0 to 2.0
Recently, DoD released the new CMMC 2.0 framework. It makes some significant departures from the CMMC 1.0 framework. The compliance levels, self-assessments, and cybersecurity controls are the most noteworthy modifications to this model. These are explained as follows:
- Aligned with widely accepted standards: CMMC 2.0 uses National Institute of Standards and Technology (NIST) cybersecurity standards.
- Reduction in the Number of Levels: CMMC 2.0 streamlines the model from 5 to 3 compliance levels, thereby simplifying the CMMC standard for companies, while safeguarding critical Department information. It eliminates Levels 2 and 4 of CMMC 1.0 and establishes three progressively sophisticated levels, depending on the type of information:
- Level 1 (Foundational) – For companies with Federal Contract Information (FCI) only, information requires protection but is not critical to national security. Level 1 is the same, and basic safeguarding standards are still required in accordance with the FAR regulations. Instead of requiring a third-party examination, Level 1 will require an annual certification of compliance from a company executive.
- Level 2 (Advanced) – For companies with Controlled Unclassified Information (CUI), NIST 800-171 compliance is maintained at Level 2, but the bespoke CMMC requirements are eliminated. Besides that, instead of relying on a third-party assessment, some contractors will be permitted to self-certify, however it is unclear where the threshold will be drawn.
- Level 3 (Expert) – For the highest priority programs with CUI, contractors seeking certification at this level must first be certified at Level 2 by a third-party assessor before applying for a government review at this level (presumably for the additional NIST SP 800-172 requirements). Furthermore, Level 3 will mandate at least partial compliance with NIST SP 800-172, “Enhanced Security Requirements for Protecting Unclassified Information,” and the DoD is still considering which NIST SP 800-172 standards will be introduced.
- Reduced assessment costs: CMMC 2.0 allows all companies at Level 1 (Foundational) and a subset of companies at Level 2 (Advanced) to demonstrate compliance through self-assessments.
- Third-party assessments will be required for prioritized acquisitions: Companies will be responsible for getting assessed and certified prior to contract award.
- Self-assessments will be required for other non-prioritized acquisitions: Companies will submit senior official affirmations to Supplier Performance Risk System (SPRS) after completing and reporting a CMMC Level 2 self-assessment.
- Higher accountability: More oversight of professional and ethical standards of third-party assessors.
- Spirit of collaboration: CMMC 2.0 allows companies, in certain limited cases, to make Plans of Action & Milestones (POA&Ms) to achieve certification.
- Added flexibility and speed: Waivers and POAM CMMC 2.0 also allows waivers to CMMC requirements under certain limited circumstances. Whenever a waiver is essential to accomplish a mission-critical work, DoD will approve waivers that will strictly be time-limited and approved by senior DoD personnel. The use of POA&Ms and waivers will allow the Department and the defense industrial base the flexibility to meet new threats and make risk-based decisions.
The new version of the CMMC model impacts multiple aspects of CMMC compliance, including changes to mandatory assessment, levels, practices of the model, implementation, and certification. The new model is believed to be introduced due to feedback from the industry and concerns from some small and medium businesses. In summary, DOD’s changes to the CMMC framework make CMMC certification easier for small and mid-sized businesses. The narrowed-down scope of assessments, and the ability for many contractors to self-assess, means that the CMMC process will be more streamlined and less costly, yet ensure the protection of sensitive information.
Challenges and Benefits of Getting Certified
The main challenges for SMB government contractors in implementing CMMC requirements are the costs involved and the identification of the assets covered under each level. But these cost burdens have been greatly alleviated by the changes laid out in CMMC 2.0. The benefits, therefore, outweigh the costs. The advantage to SMBs obtaining a CMMC certification is the improvement of their processes and simultaneously enhancing the protection of controlled unclassified information and intellectual property within the supply chain of the US DIB. This would help reduce the $1 trillion cost (on average) due to cybercrime.
The benefits of CMMC certification, among others, include the following:
- Staying prepared for the future as a defense contractor as CMMC seems to be the future for DoD contractors
- The Department is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC 2.0 Level 2 certification in the interim period while the rulemaking process is still underway
- Embracing a collaborative risk management approach which helps in reducing risk against a specific set of cyber threats
- Adopting best practices across maturity levels that range from basic cyber hygiene to advanced or progressive
- Preparing for and preventing cyber incidents
- Recover from a cyber incident without financial penalization
- Maximize the cybersecurity resilience of the DoD and DIB
- Cut the red tape for small and medium-sized businesses
- Sets priorities for protecting DoD information
- Reinforcing the cooperation between the DoD and industry in addressing evolving cyber threats
Inclusion of CMMC 2.0 in future DoD contracts will be necessary: As published in the official website, the interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only compulsory in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The Department does not intend to approve the inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process. Once CMMC 2.0 is codified through rulemaking, the Department will require companies to adhere to the revised CMMC framework according to requirements outlined in the regulation.
The official website mentions that CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines generally take 9-24 months, only then will CMMC 2.0 become a contract requirement. Changes that are part of CMMC 2.0 will be released through an interim rule. There will be a 60-day public comment period and concurrent congressional review that will be included prior to the rule becoming effective.
Scoring and requirement of CMMC in present and future solicitations: In the latest Polaris Draft Solicitation, GSA has set 750 points for CMMC certification. In addition, the Cybersecurity and SCRM Assessment will be evaluated on an acceptable/unacceptable basis and must be determined acceptable to be eligible for the award that clearly explains the importance and weightage the federal agencies are giving to the Cybersecurity requirements.
Bottom line: How you can start preparing for CMMC 2.0
As the phrase goes, “If not now, then when?”, preparing your small business for getting CMMC-certified will be a long and thorough process. Now is the right time to start taking the first steps if you haven’t already. These steps include:
- Evaluating the current operations control compliance gaps with NIST 800-171
- Documenting the Plan of Action & Milestones (POA&Ms)
- Implementing the Required Security Controls
- Documenting the policies and procedures in a System Security Plan
- Maintaining the Compliance
The Government’s new frameworks, standards, and certifications in the realm of cybersecurity can be a bit overwhelming for new small businesses. We at iQuasar can help you prepare for these changing realities and get you CMMC-ready. iQuasar Cyber Inc is a US-based organization that provides advisory, consulting, and managed services to its customers. Our services include Regulatory Compliance, Security Architecture, Identity & Access Management, and Managed Security Services. Our team of cybersecurity professionals and subject matter experts have vast experience serving Fortune 100 companies. iQuasar Cyber, Inc. is a Registered Provider Organization (RPO) and has a team of experienced cybersecurity consultants and assessment experts who conduct various cybersecurity assessments with high quality and professionalism. iQuasar Cyber’s cybersecurity team has conducted different types of compliance and provided guidance in combating cybersecurity risks to its clients. Some of the compliance assessment work provided by the iQuasar Cyber team includes ISO 9001:2015, ISO 27001, FFIEC, HIPAA, NIST 800-53, NIST 800-63, CCPA, GDPR, etc.