Department of Defense issues CMMC 2.0 proposed rule

Businesses and organizations in the DOD supply chain must act quickly to get ready for the rollout of CMMC 2.0. Ignoring or failing to comply with its requirements could severely affect your present and future prospects. If your company plans to maintain defense-related contracts, achieving NIST SP 800-171 compliance and CMMC 2.0 certification will become mandatory soon. Becoming compliant is neither fast nor easy. The clock is ticking so take action now.

What Is CMMC 2.0?

CMMC 2.0 represents the most recent iteration of the DOD’s cybersecurity regulations. This framework builds on the requirements outlined in DFARS 252.204-7012, 7019, 7020, 7021, NIST SP 800-171 & NIST SP 800-172 security controls, introducing more stringent criteria to assess the cybersecurity capabilities of contractors and subcontractors, CMMC 2.0 includes three maturity levels, each building upon the previous one. Within CMMC 2.0, each tier encompasses a set of processes, practices, procedures, and capabilities contractors must implement to achieve the correct certification level for their business. The three levels are:

Level 1 – Foundational cyber hygiene

• The most basic level of security, Level 1, requires implementing basic cybersecurity hygiene practices such as password management and keeping systems up to date with patches. This level is intended for small businesses with minimal risk to their data.
• Level 1 is based on 17 controls found in FAR 52.204-21 and NIST SP 800-171. It serves as a great starting point for businesses either initiating their cybersecurity efforts or operating with limited resources.
• Companies handling FCI need to obtain a Level 1 certification. However, these organizations aren’t classified as part of the critical infrastructure, which includes most businesses and government agencies. This level is NOT for companies handling CUI.

Level 2 – Advanced cyber hygiene

• Level 2 builds on the cybersecurity hygiene practices of Level 1 and mandates additional measures. Like NIST SP 800-171, Level 2 includes 110 controls, covering areas such as access control, incident response, risk management, physical security, and system and information integrity.
• Level 2 certification is required for companies handling CUI on behalf of the DOD or DOD Prime contractors, particularly those considered part of critical infrastructure. This includes companies operating in the defense, energy, water, communications, and transportation sectors.

Level 3 – Expert cyber hygiene

• Level 3 is the highest tier of CMMC certification and requires the most stringent security measures. Based on NIST SP 800-171, Level 3 adds additional practices from NIST SP 800-172. These extra practices focus on advanced detection and response capabilities, information protection, and enhanced system “hardening” requirements.
• Level 3 certification is mandatory for the same categories of companies that require Level 2 certification but also handle CUI in the most sensitive or higher security assurance levels of DOD contracts. Organizations subject to CMMC Level 3 certification need to be assessed by the Federal Government’s Defense Contract Management Agency (DCMA). Details regarding the assessment process for Level 3 are currently being developed and finalized.

CMMC 2.0 is an enhanced version of the CMMC framework developed by the DOD to improve the cybersecurity posture of defense contractors and their supply chain. Companies should be very concerned about CMMC 2.0 for several reasons, especially if they haven’t started the process.

• Contractual requirement: Defense contracts will require compliance with CMMC 2.0. If DOD contractors or subcontractors want to participate in DOD-related contracts, they’ll need to adhere to the cybersecurity standards outlined in CMMC 2.0.
• Supply chain impact: CMMC 2.0 applies to prime contractors AND subcontractors and suppliers within the defense industrial base (DIB). Companies within the DOD supply chain will be required to meet specific cybersecurity maturity levels to ensure the overall security of the defense ecosystem.
• Increased security standards: CMMC 2.0 introduces higher cybersecurity standards and maturity levels compared to its predecessor. Companies need to assess and enhance their cybersecurity measures to meet the specified requirements, which may involve investments in technology, processes, and training.
• Data protection and confidentiality: Companies often handle sensitive information related to defense contracts, including designs, specifications, and other proprietary data. CMMC 2.0 emphasizes protection of CUI is crucial, and companies must implement measures to safeguard this information.
• Competitive advantage: Being CMMC certified provides a distinct competitive advantage for companies. It demonstrates a commitment to cybersecurity and can enhance the trust and confidence of the DOD and its prime contractors, as well as other key customers.
• Continuous monitoring and improvement: CMMC isn’t a one-time certification but requires continuous monitoring and improvement. Companies must establish enhanced cybersecurity practices and maintain them through time to stay compliant and keep their certification.
• Potential impact on business operations: Not being certified to CMMC 2.0 could lead to disqualification from defense-related contracts. Companies may face business disruptions and loss of opportunities if they fail to meet the cybersecurity requirements set by the DOD.

How to get started

Because CMMC 2.0 is not yet fully released and it draws from the security requirements outlined in NIST SP 800-171 Rev. 2, companies should already be NIST SP 800-171 compliant. NIST SP 800-171 Rev. 2 and CMMC 2.0 present significant challenges, requiring a substantial effort and cost, the timeline for achieving compliance can range between 12 to 24 months, with most businesses going for a Level 2 certification.

The DOD is planning to use a four-phased rollout to release CMMC 2.0 implementation:

• Phase 1 (0-6 months): Begins on the effective date of the CMMC revision to DFARS 252.204-7021. DOD intends to include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment for all applicable DOD solicitations and contracts as a condition of contract award. DOD may, at its discretion, include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment for applicable DOD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date. DOD may also, at its discretion, include CMMC Level 2 Certification Assessment in place of CMMC Level 2 Self-Assessment for applicable DOD solicitations and contracts.
• Phase 2 (6-18 months): Begins six months following the start date of Phase 1. In addition to Phase 1 requirements, DOD intends to include CMMC Level 2 Certification Assessment all for applicable DOD solicitations and contracts as a condition of contract award. DOD may, at its discretion, delay the inclusion of CMMC Level 2 Certification Assessment to an option period instead of as a condition of contract award. DOD may also, at its discretion, include CMMC Level 3 Certification Assessment for applicable DOD solicitations and contracts.
• Phase 3 (18-30 months): Begins one calendar year following the start date of Phase 2. In addition to Phase 1 and 2 requirements, DOD intends to include CMMC Level 2 Certification Assessment for all applicable DOD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded prior to the effective date. DOD intends to include CMMC Level 3 Certification Assessment for all applicable DOD solicitations and contracts as a condition of contract award. DOD may, at its discretion, delay the inclusion of CMMC Level 3 Certification Assessment to an option period instead of as a condition of contract award.
• Phase 4 (30+ months): Begins one calendar year following the start date of Phase 3. DOD will include CMMC Program requirements in all applicable DOD solicitations and contracts including option periods on contracts awarded prior to the beginning of Phase 4.

Joe Coleman is the cybersecurity officer & CMMC-RPA for Bluestreak Consulting. He holds the certification of a CMMC Registered Practitioner Advanced (RPA) with more than 35 years of diverse manufacturing and engineering experience and has undergone extensive training in cybersecurity, DFARS, NIST SP 800-171, and CMMC requirements. For more information contact joe.coleman@go-throughput.com or 513.900.7934.

Bluestreak Consulting https://www.go-bluestreak.com