To ensure all government contractors are safeguarding sensitive information, the DoD has enhanced its security framework with the Cybersecurity Maturity Model Certification program, or CMMC. The CMMC program was introduced to protect federal contract information (FCI), controlled unclassified information (CUI), along with controlled unclassified information with no foreign dissemination (NOFORN).
Why is CMMC compliance important? Without a plan to conform with the CMMC level appropriate for your government contract, you could not only be compromising important information, but be at complete risk of permanently losing your contract.
WHAT IS CMMC?
The Cybersecurity Maturity Model Certification was introduced in September 2020 in order to align contractors with the Department of Defense information security requirements. The program was implemented to protect sensitive but unclassified information shared within the DoD and with subcontractor partners.
CMMC is designed for contractors to meet targeted cybersecurity goals in order to protect sensitive national security information when working with the DoD. Through meeting CMMC, contractors can prove they have the means in place to reduce harm through safeguarding FCU/CUI entrusted to them.
WHY THE DEPARTMENT OF DEFENSE CREATED CMMC
The Defense Industrial Base (DIB) remains a frequent target of cyber attacks from nation state actors and foreign adversaries. As such, it is a top priority for the Department to enhance cybersecurity measures that safeguard government information and can defeat these evolving threats.
Controlling sensitive data is critical for both contractors and national security. According to estimates from the DoD, their supply chain loses around $600 billion annually in intellectual property theft.
In response to these threats, attacks and vulnerabilities among suppliers, the DoD established CMMC to protect FCI and CUI. Essentially, this is a unified framework and mandate for all organizations.
WHAT IS THE PURPOSE OF CMMC 2.0?
Initially, defense contractors struggled with implementing the first iteration of this program, CMMC 1.0. In response, the Department of Defense developed CMMC 2.0. This leaner and more flexible version cuts through the red tape.
CMMC 2.0 introduces three features which makes it easier to comply with national security standards in order to maintain contractor status. The tiered model allows organizations to build their cybersecurity levels to advance access to sensitive information, allows the DoD to confirm contractors are working to their cybersecurity standards, and award contracts with increasing levels of sensitive unclassified information based on a contractor’s CMMC level.
The core difference between these two frameworks is the flexibility 2.0 gives suppliers in satisfying level requirements. If you fall short of fully complying at level two or three, you have some flexibility in correcting practices without losing contract status.
CMMC 2.0 LEVELS
If organizations wish to do business with the DoD, they must follow cybersecurity practices put into place by the evolution of CMMC 1.0 to CMMC 2.0. With more than 300,000 organizations part of the DIB supply chain, it is crucial that each entity follows the same guidelines. The CMMC 2.0 framework levels simplifies the process with only three required stages for contractors and subcontractors.
Compliance is based on the type of information that the organization handles, based on the applicable clauses in the DoD contract that has been awarded. Each level within the three-tiered set of security standards for government contractors and subcontractors has specific assessments and practices. All of the levels are cumulative, meaning once you achieve CMMC Level 1, Level 2 only requires adding on the next set of rules. Before you can determine which type of CMMC level your team should work towards, follow our CMMC requirements checklist to determine what level you need to maintain compliance.
CMMC LEVEL 1: FOUNDATIONAL
This level applies to DoD contractors that only work with FCI data. These suppliers are not involved in the creation, processing or receiving of controlled unclassified information. In order to maintain compliance with the CMMC foundational level, contractors must meet the 17 requirements of FAR 52.204-21. Currently, CMMC level 1 doesn’t require third-party assessment, but rather self-attestation.
CMMC LEVEL 2: ADVANCED
This level applies to all organizations that are involved in the creation, processing, storing, or transmitting FCI, CUI, and Controlled Technical Information (CTI). In addition to meeting the CMMC level 1 requirements, organizations must also meet the 110 security requirements outlined in NIST 800-171.
Unlike CMMC Level 1 attestation, Level 2 requires an assessment completed by a CMMC Third Party Assessor Organization (C3PAO), unless otherwise specified within the awarded contract. Meriplex can help you prepare for a C3PAO assessment through our managed detection and response services and our cybersecurity consulting services, giving you confidence that you will meet all the requirements to stay compliant.
CMMC LEVEL 3: EXPERT
CMMC Level 3 Certification will be designed for any supplier that handles high-value assets. Although the full requirements for CMMC level 3 have not yet been released, organizations who aspire to meet this stage must be compliant with the additional practices in NIST 800-172. Additional requirements will focus on protecting all sensitive information that an organization may encounter against advanced persistent threats. CMMC level 3 compliance will be assessed by government officials once it has been completed.
For every DoD contractor, maintaining data security to the CMMC 2.0 standard is crucial. Meriplex understands the importance of network security management and how the right protocols are vital for business continuity – especially when working with the DoD or other government agencies. Our SIEM and SOC solutions, managed detection and response service, and security awareness training offer a foundation for achieving CMMC 2.0 compliance across your organization. Contact us today to find out why our offerings can help you conform with the latest digital security standards.
WHAT CMMC 2.0 MEANS FOR GOVERNMENT CONTRACTORS
CMMC is the future for any organization interested in defense contracting. Therefore, it is important for you to prepare today if you intend to pursue contract work with the Department of Defense.
Once the rulemaking process is complete, CMMC 2.0 will be a requirement before being awarded contracts. Compliance with the standards is essential to obtaining and keeping the contracts.
Submitting cybersecurity assessments is another requirement for defense contractors. These must be completed before you can receive a defense contract. The sensitivity of the data that applies to the contract determines which certification will apply throughout the term of your contract.
Until full implementation, you should continue to improve the health and wellness of your organization’s cybersecurity status. Whether you are a current defense supplier or will seek future contracts, you must comply with the current NIST mandates for handling sensitive data.
CONTRACTORS AND SUBCONTRACTORS THAT MUST COMPLY
If your organization has a government contract, now is the time to start preparing for compliance. By 2025, 2.0 Level 1 will be the minimum requirement for all suppliers within the Department.
The list of organizations that may handle, store or process controlled unclassified information include:
- Prime suppliers
- Subcontractors
- IT managed service providers
- Commercial suppliers
- Small business suppliers
- All tiers in the defense industrial base
PREPARING FOR THE CMMC 2.0 CERTIFICATION
As the DoD moves forward with CMMC 2.0, it’s critical to understand not only how the framework will affect your business, but also what your team will need to in order to fit within the guidelines. Your team will need to understand three key questions.
WHAT IS OUR CURRENT DATA FLOW PROCEDURE?
Data flow is a critical component of how business is done in today’s world. Without the proper network monitoring program to understand how files and information is moving from one device to another, you could be susceptible to data attacks and IP loss from within your network.
WHERE IS OUR FCI/CUI STORED?
Storing FCI or CUI is not just a matter of proper data architecture. If you don’t know where or how FCI and CUI is stored within your system, you could be opening yourself up to potential leaks, which could cause you to lose your DoD contract. Utilizing SASE and other secure storage options can block unwanted access to where FCI and CUI is stored.
DO WE HAVE FULL CONTROL OVER THE SYSTEMS WHERE FCU/CUI ARE STORED?
Controlling information designated FCU and CUI is crucial to maintaining your CMMC compliance. Understanding how to prevent a data breach and maintaining strong endpoint security can ensure you have full control over where sensitive information is stored.
COUNT ON MERIPLEX’S ALIGNMENT WITH CMMC 2.0 FRAMEWORK
Following the government’s CMMC 2.0 standards and certifications can be overwhelming if you do it alone. Your team needs a partner that is not only fully aligned with the CMMC 2.0 Framework, but approaches it from a security first perspective to safeguard Federal Contract Information and CUI.
You can trust the Meriplex team to keep you on track with the constantly changing world of information technology and cybersecurity. Our company is a Registered Provider Organization (RPO) with trained security assessors that hold credentials issued by the Cybersecurity Assessor and Instructor Certification Organization (CAICO). Partnering with us can help to ensure you maintain your Department of Defense contractor status, and grow your ability to take on more contracts through the CMMC 2.0 Framework.
Meriplex provides consultation, assessments, cybersecurity solutions and managed services to our business clients. Our security-first approach ensures that every part of your organization meets certification requirements. Contact us now to learn more about how our approach to digital security can help your business grow into a stronger partner for the DoD and other government agencies.