The defense industrial base remains a frequent target of cyber attacks from non-state actors and foreign adversaries. As such, it is a top priority for the Department to enhance cybersecurity measures that safeguard government information and can defeat these evolving threats.
In response to these threats, attacks and vulnerabilities among suppliers, the DoD established CMMC to protect federal contract information and controlled unclassified information. Essentially, this is a unified framework and mandate for all organizations.
If these organizations wish to do business with the government, they must follow the cybersecurity practices put into place. Furthermore, they must meet the maturity levels to obtain certification.
Initially, the Department developed CMMC 1.0 with five-level requirements to meet accreditation standards from NIST 800-171. Its latest program, CMMC 2.0, simplifies the process with only three required levels for contractors and subcontractors.
Although controlled unclassified information is not classified, the Department still believes that this information must be protected. The computer systems at the DoD contain large amounts of sensitive data.
The Department maintains a well-implemented cybersecurity posture. It follows astute procurement due diligence practices. However, this does not mean that all vulnerabilities are suppressed.
This information is stored internally. When in transit or motion among thousands of outside entities, the data is vulnerable to cyber attacks. Consequently, exposure threatens national security.
Initially, defense contractors struggled with implementing the first iteration of this program, CMMC 1.0. In response, the Department of Defense developed CMMC 2.0. This leaner and more flexible version cuts through the red tape.
With CMMC 1.0, suppliers had to pass five maturity levels for protecting data from online criminals:
However, the newest version eliminates levels 2 and 4, and only requires three maturity levels. Priorities for protecting sensitive data and addressing evolving cyber threats remain.
Another difference between these two frameworks is the flexibility 2.0 gives suppliers in satisfying the requirements of each level. If you fall short of fully complying at any level, you have some flexibility in correcting certain practices without losing contract status.
With more than 300,000 organizations part of the Defense Industrial Base (DIB) supply chain, it is crucial that each entity follows the same guidelines. Each level within the three-tiered set of security standards for government contractors and subcontractors has specific assessments and practices.
Compliance is based on the type of information that the organization handles.
Level 1 Foundational
This level applies to DoD contractors that do not handle high-value assets. Additionally, these suppliers are not involved in the creation, processing or receiving of controlled unclassified information.
Level 2 Advanced
This level applies to all organizations that are involved in the creation, processing or receiving of controlled unclassified information.
Level 3 Expert
Certification for this level is for any supplier that handles high-value assets. They must focus on protecting all sensitive information that they encounter against advanced persistent threats. This level is for organizations that handle or deal with controlled unclassified information.
Currently, Cybersecurity Maturity Model Certification is the future for any organization interested in defense contracting. Therefore, it is important for you to prepare today if you intend to pursue contract work with the Department of Defense.
Until full implementation, you should continue to improve the health and wellness of your organization’s cybersecurity status. Whether you are a current defense supplier or will seek future contracts, you must comply with the current NIST mandates for handling sensitive data.
Once the rulemaking process is complete, CMMC 2.0 will be a requirement before being awarded contracts. Compliance with the standards is essential to obtaining and keeping the contracts.
The opposite is true for not obtaining Cybersecurity Maturity Model Certification accreditation: Your organization will not be permitted to either receive or share information related to specific projects and programs within the Department.
Submitting cybersecurity assessments is another requirement for defense contractors. These must be completed before you can receive a defense contract. The sensitivity of the data that applies to the contract determines which certification will apply throughout the term of your contract.
If your organization has a government contract, now is the time to start preparing for compliance. By 2026, 2.0 Level 1 will be the minimum requirement for all suppliers within the Department.
The list of organizations that may handle, store or process controlled unclassified information include:
Initially, organizations wanting to secure defense contracts faced two concerning challenges. First, organizations needed to absorb the costs of implementing Cybersecurity Maturity Model Certification requirements. Second, they had to identify the assets each level covered.
However, CMMC 2.0 has alleviated the cost burden. As a result, the benefits of obtaining accreditation outweigh the costs. Not only are organizations better positioned to secure contracts with the government, but also their processes for keeping network systems secure improve across the board.
Protecting intellectual property and controlled unclassified information within the supply chain reduces costs incurred due to cybercrimes.
The benefits of becoming Cybersecurity Maturity Model Certification certified include:
Compared to CMMC 1.0, CMMC 2.0 reduces the burden of organizations meeting requirements such as security audits. Still, you do not want to be the contractor that becomes complacent. Preparing for the new requirements begins now.
The first step to consider is determining which level will apply to your organization and the type of contracts you hope to acquire. As mentioned, this will depend on whether you handle high-value assets or controlled unclassified information.
Next, mapping out a timeline to become compliant will ensure your efforts stay on target. A date for full implementation is still pending. However, the rulemaking process could last anywhere from 9 to 24 months.
Notwithstanding these considerations, ensuring your organization is CMMC-certified is not an overnight process. You will need to be thorough in addressing issues such as:
• Course of action to maintain compliance
If following the government’s CMMC 2.0 standards and certifications seems a bit overwhelming, let our Meriplex team keep you on track with these changing realities. Partnering with us can help to ensure you maintain your Department of Defense contractor status.
Meriplex provides consultation, assessments, cybersecurity solutions and managed services to our business clients. Our security-first approach ensures that every part of your organization meets certification requirements. Do not hesitate to contact us today to learn more.
