Two years ago, the Department of Defense (DoD) required all their contractors to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

NIST’s 800-171 outlined 110 controls for contractors that work with controlled unclassified information (CUI) to help them attain basic cybersecurity standards. Contractors were required to be in compliance or have a plan for compliance by the end of 2017.

Now, the DoD is in the process of releasing a new publication for cybersecurity, which will essentially replace 800-171 and require contractors to attain certification. The new standard will be called the Cybersecurity Maturity Model Certification (CMMC).

The Purpose of the CMMC in 2021

The certification is designed to correct issues with NIST’s 800-171 and set an enforceable uniform cybersecurity standard for DoD contractors throughout Washington DC and Northern Virginia.

Currently, contractors are allowed to confirm their own compliance with 800-171 by documenting an existing security plan that meets the controls and a subsequent plan for any unmet controls.

However, this system left many contractors with inadequate cybersecurity practices that had yet to meet the requirements and put data at risk. Compromised sensitive information led to numerous incidents for the DoD, and they’re now trying to improve their standards.

CMMC aims to designate universal cybersecurity practices for all DoD contractors.

The DoD will require third-party certification for this new model. Contractors must have met the issued requirements and attain certification to do business with the department.

The CMMC is expected to specify five levels of data security, ranging from basic measures to advanced practices.

The purpose of these varying levels is to allow contractors to implement the procedures most appropriate for their particular work.

Who Will Be Affected by the New Certification

Any DoD contractors that work with controlled unclassified information will be expected to gain certification under a third-party auditor. The DoD is expected to utilize a nonprofit organization to manage the certification process and auditors, although it’s not yet clear which organization will be hired or who the auditors will be.

The certification will also apply to all contractors who do business with the DoD. DoD contracts will detail the required security level needed to attain certification. The model is expected to be made so that most small businesses in Washington DC will be able to at least meet the level one requirements.

It’s also possible that the expenses of gaining compliance could be an allowable cost, so contractors could recover their expenses by achieving the certification.

When Is the Deadline

The Cybersecurity Maturity Model Certification guidelines haven’t yet been released and likely won’t be until later this year.

It’s expected that the certification process will begin throughout 2020 and 2021, although there is no set deadline to attain certification at this point.

Contractors throughout the area including Northern Virginia should expect to gain compliance and begin the certification process starting in 2020.

How You Can Prepare

Although no specifics have been published, the CMMC is expected to have new controls as well as some current ones carried over from the 800-171 publication.

Although some contractors in Washington DC may have NIST’s 800-171 controls in place, they need to be aware of the new controls as they’re released and make plans to meet them.

Contractors should not expect that just because they have gained 800-171 compliance that they will automatically be eligible for the Cybersecurity Maturity Model Certification.

There will be new controls and depending on which level contractors are required to meet, the cybersecurity measures could be much more advanced than what contractors in Northern Virginia are currently applying.

If the certification is successful in improving cybersecurity for DoD contractors and those that do business with the department, future models could be published for other sectors of the government as well.

Solvere One Is CMMC Ready!

If you do business with the DoD, you need to be ready for the new Cybersecurity Maturity Model that’ll be released later this year.

Solvere One provides CMMC-ready solutions and is prepared to help you meet the necessary controls.

Our expert team can help you prepare now to ensure you’re ready to gain compliance, and when the model is released, you’ll be ahead of the game to attain certification!

With the upcoming DoD deadline to incorporate the new cybersecurity regulation items into your nonfederal information system, government contractors are attempting to meet these requirements before December 31, 2017.

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 stipulates that nonfederal organizations put measures in place to protect classified defense information (CDI). These measures are outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Revision 1.

Are you ready for the upcoming deadline? Here are six things you should know about the new cybersecurity regulation.

 For Accurate and Timely Results, Work with Professionals

This is especially true if you’re in a time crunch. As a contractor, you can evaluate and select a professional IT company to provide you with high quality services to meet this cybersecurity regulation. These professionals can measure your cybersecurity risks and work with you to implement all 110 controls of NIST SP 800-171.

Working with a professional IT provider will help you get the ball rolling much faster—not to mention more accurately—than if you were to try and meet the requirements by yourself. To get your company in gear, find an IT provider that can help.

If You Fail to Comply, Expect Consequences

Although currently the government lacks resources to audit your compliance, they may ask to see your documented security plan. If your security plan is found to be in non-compliance with cybersecurity regulation, your organization may face consequences.

These penalties include having up to 20% of your pay withheld, your work suspended, or termination of your contract. You can avoid these consequences by ensuring compliance is met before the December 31, 2017 deadline.

The Cost of Compliance

Currently, specific guidelines are lacking for how these compliance expenses will be handled. For some companies, meeting the cybersecurity regulation will only require a few tweaks in their system. For others, a complete overhaul may be needed.

These business expenses related to compliance may be considered indirect costs; therefore, they may be allowable expenses under your contract if considered fair and reasonable. Regardless of the cost of compliance, you’ll still be expected to meet the requirements in order to continue your work for the government.

Cybersecurity Liability Insurance Isn’t Required

DFARS isn’t requiring contractors to purchase cybersecurity liability insurance. If you choose to purchase this insurance, the cost may or may not be allowable under your contract, depending on whether or not it’s necessary and sufficient.

Keep in mind that even if you experience a breach and your cybersecurity insurance denies to cover the costs, there’s no guarantee that it would be an allowed expense relating to your contract for this cybersecurity regulation. Your company needs to decide whether cybersecurity liability insurance would be worth it for your contract.

Liability Concerning Government Contractors

It’s important to keep in mind that primary contractors of the DoD are responsible for the performance of their subcontractors; this includes subcontractors’ ability to comply with NIST SP 800-171. Primary contractors don’t always communicate things such as cybersecurity regulation to their subcontractors, but you may be liable if your subcontractors aren’t meeting the regulations.

You can avoid penalties and help lessen your liability by communicating the NIST SP 800-171 requirements to your subcontractors before the deadline to give them a chance to meet the regulation before it’s too late.

Contractors and Limited Cybersecurity Staffing

Cybersecurity professionals tend to be limited in the world today, where daily threats are commonplace. While it’s a challenge to keep staff on hand to help with your cybersecurity regulation needs, you are responsible for this task as a government contractor.

You can create a balance of employees, tools, and resources to meet your cybersecurity needs. Know that the DoD won’t make an exception just because you may be having trouble finding an appropriate provider, so be sure to secure cybersecurity staff as soon as possible.

Are you ready for the new cybersecurity regulation? You can analyze the scope of your CDI to determine what needs to happen before the deadline. Working with a provider can accelerate the process, and remember that non-compliance won’t come without consequences. You can achieve compliancy before the deadline to uphold your contracts!