With the release of the Cybersecurity Maturity Model Certification (CMMC), major changes are coming to the Department of Defense (DoD) supply chain for both contractors and subcontractors.
In November 2021, the DoD announced “CMMC 2.0,” which includes requirements designed to achieve the following primary goals from the internal review:
Safeguard Sensitive Information: Enable and protect the warfighter by safeguarding sensitive information.
Enhance Cybersecurity: Dynamically enhance DIB cybersecurity to meet evolving threats.
Ensure Accountability: Ensure accountability while minimizing barriers to compliance with DoD requirements.
Foster a Cybersecurity Culture: Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience.
Maintain Public Trust: Uphold high professional and ethical standards to maintain public trust.
The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the Defense Industrial Base (DIB). It is designed to protect sensitive unclassified information shared by the Department of Defense (DoD) with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the DoD with increased assurance that contractors and subcontractors are meeting these requirements.
Key Features of the CMMC Framework:
Tiered Model:
CMMC requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also outlines the process for information flow down to subcontractors.
Assessment Requirement:
CMMC assessments allow the DoD to verify the implementation of clear cybersecurity standards.
Implementation through Contracts:
Once fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a specific CMMC level as a condition of contract award.
CMMC Compliance Requirements:
All DoD contractors and subcontractors must implement practices and controls to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
DoD contractors and subcontractors must undergo an assessment by a CMMC Third-Party Assessment Organization (C3PAO).
CMMC will be required for all DoD contractors (both prime and subcontractors) and should be considered a "license to do business with the DoD." Noncompliance could have serious implications, including:
Revenue Loss
Reputational Damage through Adverse Performance Reviews
Supply Chain Disruption
Exclusion from Proposals
Organizations across the defense industrial base are rigorously examining their controls related to NIST 800-171 and understanding the differences between NIST 800-171 and CMMC. Here are some specific areas of focus for DoD contractors:
Define Your CUI Boundary:
To determine the appropriate CMMC level, start by understanding your Controlled Unclassified Information (CUI) boundary and the types of information that flow through your environment.
Revisit Your System Security Plan (SSP):
Under previous DFARS clauses, DoD contractors were required to develop and maintain an SSP. Now is an ideal time to review and update your SSP, as it will be a crucial part of your CMMC assessment.
Review Your POA&M:
If you’ve performed a self-assessment, you should have developed a Plan of Action and Milestones (POA&M) that outlines gaps and plans to address them. Before your CMMC assessment, strive to close any outstanding gaps by reviewing and updating your POA&M.
CSCG takes a business-focused, comprehensive approach that supports cost savings, productivity, and risk reduction goals. We encourage DoD contractors to adopt a proactive and sustainable strategy to achieve CMMC (Cybersecurity Maturity Model Certification) requirements continuously.
Readiness Services: CSCG assists DoD contractors in achieving CMMC compliance by assessing existing processes and controls against the CMMC framework to identify any deficiencies.