888.624.6737

syse-blog-header

CMMC Proposed Rule is Here: What You Need to Know

January 23, 2024 | Posted in:

Cybersecurity, Compliance

On Tuesday, December 26, 2023, the Department of Defense published the proposed rules for the Cybersecurity Maturity Model Certification (CMMC) program, which is now open for a 60-day comment period, ending February 26, 2024. CMMC is designed to ensure defense contractors and subcontractors adhere to information protection standards for federal contract information (FCI) and controlled unclassified information (CUI) mandated by federal regulation. The goal is to safeguard sensitive unclassified data at a level that matches the risk posed by cybersecurity threats, including advanced persistent threats.

CMMC 2.0

The proposed rule revises aspects of the CMMC program to address public concerns, streamlining requirements for simplified compliance, prioritizing DoD information protection, and reinforcing collaboration between DoD and industry to address evolving cyber threats. A follow-on Defense Federal Acquisition Regulation Supplement (DFARS) rule is expected in 2024.

Here is a detailed list of what you need to know about the CMMC and the IT security hygiene your organization may need to address.


TABLE OF CONTENTS


What is the Cybersecurity Maturity Model Certification (CMMC)?

In November 2020, the DoD published its initial version of the CMMC program (CMMC 1.0) derived from multiple cybersecurity standards, frameworks, and references. Shortly after, in March 2021, the DoD initiated an internal review, informed by public comment, to refine the policy and program implementation. On November 4, 2021, the U.S. DoD announced the completion of its internal assessment and released the strategic direction for the CMMC program, dubbed CMMC 2.0. The refined program structure and requirements are designed to verify the ability of Defense Industrial Base (DIB) contractors to implement security requirements specified in NIST SP 800-171 Revision 2, and to "protect Controlled Unclassified Information in Nonfederal Systems and Organizations."

The CMMC 2.0 framework is organized into a three-tier model that requires companies entrusted with national security information to achieve a progressively advanced CMMC level, depending on where the Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) to be protected is processed, stored, or transmitted. This protection also applies to information shared and exchanged with subcontractors in a multi-tier supply chain. The flow down of the CMMC requirements to subcontractors is necessary to respond to threats that reach even the lowest supply chain tiers.

Both CUI and FCI include information created, collected, or received, by or for the Government, that is not intended for public release. Specifically, CUI must also be safeguarded at every stage of existence (in use, storage, and transmission) until it is destroyed, disseminated, or decontrolled.

CMMC2.0-Model

Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified Department information will be required to achieve a particular CMMC level as a condition of contract award. Depending on the level (Foundational, Advanced, or Expert), an authorized and accredited CMMC 3rd Party Assessment Organization (C3PAO) will conduct a verification of the DIB company's cybersecurity posture and implementation of the required processes and practices. Upon completing the assessment, an independent CMMC Accreditation Body (AB) will award the DIB company the appropriate CMMC level certification. The contractor's CMMC level is then stored in the Supplier Performance Risk System (SPRS). The DoD will use the SPRS to verify a contractor's certification level before awarding a contract, where required. The assessments are valid for three years and must be renewed every three years to remain current.

BACK TO TOP

When will CMMC go into effect?

No official dates have been released by the DoD making the CMMC 2.0 a contractual requirement. As of November 22nd, 2023, the Office of Information and Regulatory Affairs (OIRA) completed their review of all CMMC model documents, therefore the CMMC final rule may be published and go into effect as early as Q1, 2025. Based on the DoD comments thus far, we fully expect a phased roll-out of CMMC to show up in contracts.

BACK TO TOP

Why did the DoD create CMMC?

To best understand the current CMMC Framework and Assessment methodology, it is helpful to know the origins of this rule. Protection of unclassified information through minimum cybersecurity standards within the DoD supply chain has been in effect on DoD contracts since 2013. The regulations relied on the DIB contractors to self-attest that they will or have implemented the security requirements of the FAR 52.204-21 and DFARS 252.204-7012 clauses upon submission of a contract offer. These regulations fell short in the DoD's ability to assess and verify a contractor's compliance with the protection of government information before the contract was awarded.


The FAR clause mandates protection of any Federal Contract Information not intended for public release, provided by or generated for the Government.

The DFARS clause requires a DIB contractor to protect Controlled Unclassified Information in Nonfederal Systems and Organizations by implementing the up to 110 security controls under NIST SP 800-171 Revision 2 DoD Assessment Methodology.


BACK TO TOP

Why is the CMMC framework important?

Suspicion of non-compliance from the contractors to implement the basic safeguarding and security requirements was realized when DIB contractors reported 248 security incidents to the DoD Cyber Crime Center between 2015 – 2018. These numbers got the attention of the Secretary of Defense, who subsequently requested an audit by the DoD Inspector General (IG) to determine whether contractors were protecting CUI on their networks and systems. The 2019 IG report findings indicated that DoD contractors did NOT consistently implement the mandated requirements. The report emphasized that "malicious actors can exploit the vulnerabilities of contractors' networks and systems and exfiltrate information related to some of the Nation's most valuable advanced defense technologies." The IG report recommended that the DoD take steps to allow for verification of a contractor's ability to protect CUI, which resulted in the CMMC Framework and Assessment Methodology.

BACK TO TOP

Who needs to comply with CMMC?

The CMMC requirement applies to any company or group within the DIB sector that receives, handles, or processes FCI or CUI from the DoD. A DIB contractor that does not handle information deemed critical to national security (level 1 and a subset of level 2) will be required to perform an annual self-assessment, and a senior company official will need to submit an attestation form confirming compliance. These acknowledgments of compliance will likely need to be submitted to the SPRS as well.

CMMC Cybersecurity

Contractors that manage information critical to national security (a subset of level 2) must align with the 110 security practices of NIST SP 800-171 Revision 2, and undergo third-party assessments from accredited C3PAOs. For the most critical defense programs requiring Level 3 certification, contractors will be accountable to a subset of the NIST SP 800-172 requirements, which are a supplement to NIST SP 800-171 Revision 2 and are currently under development. The DoD intends for Level 3 cybersecurity requirements to be assessed by government officials rather than accredited C3PAOs. The level 3 assessment requirements are also currently under development.

BACK TO TOP

How to prepare for a CMMC assessment?

For many DoD contractors and sub-contractors, preparing for a CMMC can feel like a daunting process. The good news is that Systems Engineering can get you there. We are a CMMC Registered Practioner Organization and have been working with the NIST SP 800-171 Revision 2 framework for years. We fully understand the cybersecurity processes and practices necessary to achieve CMMC compliance.

CMMC RPOIf your organization needs to become CMMC Level 2 compliant, we're here to help. We start with a CMMC Gap Analysis to identify missing or ineffective controls and practices in your environment. With this information, you can prioritize your gaps and create a plan for remediation. Click here to learn more about becoming certified and start preparing now. 


If you have any questions on CMMC and how we prepare you to achieve CMMC certification, call us at 888.624.6737, email us at info@systemsengineering.com, or visit our CMMC compliance service webpage