How do CMMC cybersecurity requirements impact defense contractors?
If your company collaborates with the U.S. Department of Defense, or you are planning to do so, you should be aware of a compliance framework: the Cybersecurity Maturity Model Certification, or CMMC. CMMC cybersecurity requirements directly influence what practices your organization should be implementing, regardless of whether you are a prime contractor or a small subcontractor who is at the end of the supply chain. This paper disaggregates what CMMC needs, why it is important, and what defense contractors must do to prepare.
What is CMMC and it’s purpose?
CMMC is an abbreviation that means Cybersecurity Maturity Model Certification, and it is a program created by the Department of Defense to safeguard sensitive government information that traverses through the defense industrial base. Defense contractors had been self-certifying their adherence to cybersecurity standards for years: audits found that most companies were claiming to have, and have not actually had, what they were purporting to have. CMMC was developed to address that issue by implementing third-party reviews that are verified to the majority of contractors.
Fundamentally, CMMC is aimed at securing two types of information, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). FCI refers to any information created or delivered under a government contract, which is not supposed to be released to the public. CUI is more delicate – it covers such items as export controlled technical information, law enforcement information, and other categories that are explicitly specified by the federal government. The nature of the data that your organization works with dictates the level of CMMC that applies to you.
CMMC 2.0, which is the present framework, has three certification levels, each corresponding to the sensitivity of data that your organisation deals with:
-
Level 1 - Foundational:
This is applicable to companies that process Federal Contract Information. It involves adherence to 17 fundamental cybersecurity practices based on FAR 52.204-21. Self-assessment is allowed at this level annually.
-
Level 2 - Advanced:
This is applicable to firms dealing with Controlled Unclassified Information. It is in line with the 110 security practices of the NIST SP 800-171. A Certified Third-Party Assessment Organization (C3PAO) will have to conduct a triannual assessment of most Level 2 contractors.
-
Level 3 - Expert:
Applies to the companies that are engaged in the most significant DoD programs. It is based on NIST SP 800-171 and derives other practices of NIST SP 800-172. Evaluations are done at the government level.
Impact of CMMC cybersecurity requirements on contractors
Before CMMC, the main cybersecurity regulation applicable to defense contractors was DFARS 252.204-7012, which mandated that they adhered to the NIST SP 800-171 and self-assess. The equation is shifting dramatically with CMMC: starting with Level 2 contractors, self-attestation is not sufficient. Third party verification is made a contractual requirement.
This implies that organizations are no longer able to just write their cybersecurity policies and tick a box on a government form. They have to show in fact that the necessary controls are in place, they are functioning and working. This is a major change in operations of many of the small and mid-sized defense contractors and must be planned actively, security infrastructure must be invested in and in many cases this must be supported by a seasoned IT and compliance partner.
Important Requirements
In the case of Level 2 contractors, CMMC will demand that all 110 practices in 14 domains specified by NIST SP 800-171 are implemented. These encompass a wide gamut of cybersecurity practices, which include:
-
Access control
Access control refers to who can access the systems and data, and privileged and remote access may be multi-factor authentication.
-
Incident response
Possession of a documented strategy to identify, report, and restore cybersecurity breaches.
-
Configuration management
Secure hardware and software configurations.
-
Media protection
Managing the storage, transportation and disposal of CUI on physical storage.
-
Risk assessment
Periodically assessing the threats and vulnerabilities to organizational functions.
-
System and communications protection
Tracking and filtering network traffic and in particular at boundaries.
-
Auditing and accountability
Recording the user activity and maintaining records that can be examined by a forensic expert.
These are not aspirational targets – they are pass/fail set targets. A C3PAO assessor will compare each of the controls with objective evidence, including system settings, policy documents and responses to interviews. Weaknesses found in assessment should be covered in a Plan of Action and Milestones (POA&M), and based on the extent of weakness, may have to be remedied prior to certification.
What will happen if a contractor is not Compliant?
Since CMMC requirements are being incrementally implemented into DoD contracts, there are actual penalties to non-compliance. The contractors that do not have the necessary level of certification will not be allowed to bid or do work on a contract that requires it. Considering that DoD has indicated a complete implementation of CMMC requirements throughout the defense industrial base, the clock is in the red. Firms that will only start their CMMC process when a contract opportunity occurs are bound to be shut out of the bidding process altogether.
Moreover, false claims to compliance with cybersecurity may result in contractors being liable under the False Claims Act a liability the Department of Justice has started to actively prosecute in its Civil Cyber-Fraud Initiative.
Assuming the Defense Contractor Roles: What Needs to Be Done.
To those organizations that are still in the initial phases of the CMMC assessment, the next step is to be sincere and to do it in a structured way. The following are the most significant initial steps:
-
Identify your level of CMMC:
Evaluate your existing contracts and future contracts to determine whether you deal with FCI, CUI, or both. This identifies the level that would be used in your organization.
-
Carry out a gap assessment:
Compare your current security controls with the relevant NIST SP 800-171 practices. Gap assessment provides you with a realistic understanding of what you are and what you should become.
-
Define your System Security Plan (SSP):
Document your environment, the CUI you deal with, your limits and the controls you have put in place. This is the document that is at the center of your CMMC assessment.
-
Work with a seasoned CMMC consultant:
CMMC requirements are complicated. When collaborating with an IT and security provider that is under management, and familiar with the framework, it is possible to save a lot of time and costs to reach the certification.
-
Start remediation early:
The closer to a contract deadline, the more the remediation will be costly and stressful. A good planning horizon of most organizations is starting the process 12-18 months prior to a necessary assessment.
The way Solvere One assists the defense contractors to meet CMMC compliance.
Solvere One is a managed IT and security services provider in the Washington, D.C. metro area that has extensive experience in supporting defense contractors and other organizations that are adjacent to the government. Our consulting services on CMMC also assist companies in all phases of the compliance process, such as gap analysis and system security plan formulation, down to continuous managed security services that sustain compliance posture over time.
CMMC compliance cannot be a short-lived undertaking, as it involves a long-term management approach to your security environment, your policies, and your people. Solvere One, as your IT and security partner, assists in making sure that the controls you have in place today are not outdated as your business continues to grow and as the threat environment shifts.
In case you are a defense contractor and want to assess your CMMC preparedness, call Solvere One to book the appointment. We will help you understand where you are, where you have to go, and how to get there without the guesswork.