CMMC 2.0: DoD Contract Requirements for Defense Contractors
If your business works in the DoD supply chain, you will need to prove your CMMC compliance.
If you are a U.S. Department of Defense (DoD) contractor, you may be subject to the Cybersecurity Maturity Model Certification (CMMC) requirements. This standard outlines the cybersecurity requirements for DoD Defense Industrial Base (DIB) contractors in protecting sensitive information stored on their servers. For contractors who store or process Controlled Unclassified Information on DIB networks and servers, maintaining compliance with these requirements is necessary to protect this data from unauthorized access and misuse. At Meriplex, our skilled and knowledgeable team of technical experts can provide the support and assistance you need to implement a Cybersecurity Maturity Model Certification program to keep your data secure and protect your DoD contracts now and in the future.
The Cybersecurity Maturity Model Certification program is designed to provide a framework for maintaining security for the entire DoD supply chain — primarily for DoD contractors and subcontractors who handle Controlled Unclassified Information (CUI) and Covered Defense Information (CDI). CMMC establishes parameters for safeguarding this information by instituting cybersecurity measures and managing access to CUI and CDI in an efficient and strategic way.
Understanding the basics of CMMC can be challenging for your IT team and operations. However, working with a company with proven experience in cybersecurity measures and implementations can often allow you to manage Department of Defense requirements and achieve a higher level of protection for the data entrusted to your care. Meriplex can help you design a program to manage cybersecurity for CDI and CUI while remaining in compliance with all the provisions of CMMC.
Even though the data included in CUI is not subject to the same strict controls as classified information, protecting the confidentiality of this data is essential to the national security interests of the United States. According to the Defense Counterintelligence and Security Agency, however, unauthorized access to CUI can provide information to the enemies of the United States, which can translate directly into higher risks to our national security. Therefore, adequate and appropriate security is required when handling or maintaining CUI.
CUI and CDI stored in the Defense Industrial Base can be attractive targets for cyberattacks. While contractors have always been required to demonstrate that they are maintaining adequate security for this data, the framework and levels provided by the Cybersecurity Maturity Model Certification can create a standard for managing security and greater consistency in cybersecurity measures across the spectrum of DoD contractors. Additionally, this CMMC certification can improve cybersecurity for companies across the Defense Industrial Base by providing a verifiable assessment platform.
As far back as 2010, Executive Order 13556 defined CUI and provided some very general guidelines for protecting this information against cyber threats and unauthorized intrusion. In 2017, the DoD announced a requirement for defense contractors to self-assess their cybersecurity measures against the National Institute of Standards and Technology (NIST) requirements as outlined in the NIST 800-171 standard. While these self-assessments did represent a step forward in protecting CUI, the development of CMMC in 2019 marked a new stage in protecting this data against losses and unauthorized access by those with malicious intent.
CMMC 2.0 is expected to become part of standard defense contracts with organizations by May 2023. This streamlined standard will consist of three basic levels and will require more contractors to obtain third-party assessments of compliance to maintain their relationships with the Department of Defense and other government agencies. For contractors who will be subject to the requirements of CMMC 2.0, seeking help now from Meriplex can be a positive step in the right direction and can ensure compliance from day one of this new standard for cybersecurity.
The security controls required to stay in compliance with the CMMC were initially outlined in NIST Special Publication 800-171. However, self-assessment and certification of compliance with the NIST 800-171 standard have been required of many defense contractors since 2017. NIST 800-171 consists of 110-plus controls divided into 14 separate categories. All defense and government contractors were required to achieve Level 1 compliance with 17 basic practices. Higher levels of access required compliance with higher levels of cybersecurity and, in some cases, third-party assessments of the degree of compliance and the security afforded to CUI and CDI by these contractors.
By implementing the recommendations and requirements of NIST 800-171 into the measures taken to protect sensitive data, contractors can build a framework for compliance that will allow for improved security now and in the future. Meriplex can assist your company with NIST 800-171 compliance and can provide you with expert guidance on the best ways to implement a structure to protect sensitive data from misuse and unauthorized access. Creating a plan for compliance with NIST 800-171 is the first step toward securing information and maintaining your eligibility for contracts with the Department of Defense.
Maturity models are used in project management to offer consistent benchmarks and frameworks for measuring growth and progress in a specific area. Maturity models establish a series of levels through which organizations can progress. This tiered approach to adopting new technologies and implementing standards can allow companies to upgrade their processes in a much more efficient and effective way.
Maturity models generally provide a starting point for companies to begin their improvement process. This represents a baseline from which organizations can create consistent gains in their security arrangements. As the contractor becomes more familiar with best cybersecurity practices, they will advance through the various levels of compliance and expertise to create a much more secure environment for the data in their possession. Working with Meriplex can streamline the process of adopting these maturity models and achieving full compliance with NIST 800-171 and the provisions of this certification for increased opportunities with the Department of Defense.
Using a maturity-model framework for this certification will allow companies to roll out their cybersecurity implementations in a progressive way. If your company will be subject to the provisions of CMMC 2.0, beginning the process of working through the requirements now can put you in a better position when this standard goes live sometime in the future.
Since the initial announcement of the Cybersecurity Maturity Model Certification in 2019 and its inclusion in Department of Defense contracts starting in November 2020, efforts have been made to create a more streamlined approach to cybersecurity for contractors. CMMC 2.0 is the result of these enhancements and will likely go into effect in 2023.
The new standards will undergo scrutiny and rulemaking procedures before becoming mandatory for government contractors. Both Title 32 CFR and Title 48 CFR rulemaking will be required to ensure that 2.0 works as required and that all elements of the program are in accordance with the existing guidelines and frameworks for defense contracts and contractors.
The precise timeline for compliance with these cybersecurity standards for government contractors is not yet known. In general, the Cybersecurity Maturity Model Certification program was first announced by the U.S. Department of Defense in June 2019, released as a model document in February 2020, and published as an interim rule in September 2020. The interim rule received numerous comments and was restructured as CMMC 2.0 in November 2021. The Department of Defense has announced that it will submit certification for the program to the Office of Management and Budget sometime in January 2023. This is later than previously estimated and could lead to delays in the March 2023 estimate for the issuance of interim final rules for cybersecurity by the Defense Department.
The framework for this cybersecurity program generally consists of four primary elements, which are listed and explained below:
Outsourcing your compliance requirements to Meriplex can allow you to easily adopt this cybersecurity framework for your contracting firm. We can tailor an approach that will prevent CUI data breaches and protect this information in the most proactive way possible.
Level requirements are based on the type of information DIB companies are capable of handling. The level required for each contract will be included as part of the RFP for the contract, which will also include information on reporting compliance with these requirements. The first version of CMMC consisted of five basic maturity levels representing stages of required security for the information safeguarded by contractors:
Under 2.0, the number of levels has been reduced from five to three to reflect the actual requirements for protecting CUI from unauthorized access and misuse.
Working with a trusted cybersecurity firm can allow contractors to institute the right measures for protecting CUI and maintaining eligibility for contracts with the Department of Defense and other government agencies.
The requirements applicable to contractors can also apply to vendors and other elements of the supply chain. The various links in your supply chain should protect CUI and remain in compliance with the requirements and standards set forth by the Defense Department for your data. Working with a firm that specializes in compliance with these cybersecurity requirements can also allow your business to maintain adequate levels of security for vendors and other elements of your supply chain.
Qualifying for Cybersecurity Maturity Model Certification will likely take place in four stages as outlined in a draft published by the Cyber Accreditation Body on July 26, 2022:
This process will likely change before the new requirements go into effect sometime in 2023 or 2024. However, working with a company that specializes in cybersecurity, will continue to be a practical method for passing these assessments and maintaining eligibility for Defense Department contracts.
Companies that offer assistance with cybersecurity compliance can offer practical remediation services that include the following:
The companies that provide these CMMC compliance consulting services are typically Registered Provider Organizations (RPO).
Once you have established compliance with all cybersecurity requirements for certification, it is essential to remain in compliance. Working with a qualified and knowledgeable cybersecurity services provider will typically provide you with added help in maintaining your eligibility for contracts with the U.S. Department of Defense now and for the future of your organization.
At Meriplex, we offer practical help in preparing for CMMC requirements now and as these standards evolve. To learn more about the CMMC readiness services we offer and how we can help you manage your Defense Department contract compliance, contact us online or by email at firstname.lastname@example.org. We are here to help you manage all aspects of compliance for managing cybersecurity for CUI throughout your organization.