The US Department of Defense (DoD) recently released new rules about data protection that its contractors need to abide by. Due to the sensitive nature of the data DoD vendors deal with, as well as the increasing prevalence of cybercrimes, it’s imperative that the agency maintains full control over its information assets. To do this, the DoD decided to improve upon its current data security standard Governed by DFARS regulations by deploying the Cybersecurity Maturity Model Certification or CMMC.
Here are some of the most common questions regarding the new model:
What is Controlled Unclassified Information?
Controlled Unclassified Information (CUI), as defined by the US National Archives, refers to information that requires “safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies, excluding information that is under Executive Order 13526, Classified National Security Information December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.”
Basically, this means that sensitive data that the DoD gives to the contractors in support of the contract deliverables or information that the subcontractor creates in direct support of the contract deliverable. It is also understood that items marked CUI, CDI, FOUO, and ITAR fall in this protected class
Why should DoD contractors concern themselves with cybersecurity?
CUI can be lost or stolen if DoD contractors don’t take the necessary steps to protect it. Not only does lost/stolen data leave the contractor liable to the various government agencies they serve, but it can also threaten the national economy and security. The ramifications of inadequate cybersecurity measures run deep, and it’s imperative for DoD contractors to enhance the protection of CUI to the fullest extent possible. Since foreign actors have been stealing our secrets, the CMMC is designed for a contractor to verify before a contract is awarded by a credentialed third party that they meet the level attached to the contract. The DoD is rolling this requirement out in various un-named contracts over the next 5 years
What are the DoD’s cybersecurity requirements?
The DoD requires contractors to abide by the CMMC framework. The CMMC “reviews and combines various cybersecurity standards and best practices and maps those controls and processes across several maturity levels that range from basic to advanced cyber hygiene.”
CMMC comprises five levels of cybersecurity maturity, with the fifth level being the highest. These levels are based on FAR 48 CFR 52.204-21, NIST Special Publication 800-171 r1, and Draft NIST Special Publication 800-171B.
Below is a table summarizing how these frameworks inform CMMC:
Source: Cybersecurity Maturity Model Certification
Why was there a need to create the CMMC?
The CMMC was released on January 31, 2020. It was created as a response to the rising number of cyberthreats the DoD and its contractors encounter every year. The CMMC acts as a verification mechanism that determines which contractors are eligible to bid on certain DoD projects. Their eligibility is based on their level of CMMC compliance.
The CMMC is poised to replace the DoD's previous compliance framework, the Defense Federal Acquisition Regulation Supplement (DFARS), which had historically low levels of compliance among contractors. Unlike DFARS, the CMMC lets the DoD categorize its vendors easily, and it allows resource-strapped businesses to meet Level 1 or Level 2 requirements so they can still qualify to bid for projects.
What’s the difference between the DFARS and the CMMC?
Under DFARS, vendors are required to address the 14 security requirement families found in NIST Special Publication 800-171. Fulfilling this makes the vendor fully DFARS-compliant. Under the CMMC framework, full DFARS compliance makes the vendor only a few more steps away from complying under CMMC Levels 3 and up. Meanwhile, the CMMC model allows vendors who can only comply with FAR 48 CFR 52.204-21 up to Level 2 accreditation.
The CMMC builds upon the DoD’s existing trust-based security framework (DFARS 252.204-7012) by adding a verification component. In short, many contractors have taken shortcuts in meeting the DFARS requirements because that framework allows for self-certification; the CMMC does not. The CMMC aims to be more reliable, effective, and cost-friendly than the DFARS model for contractors that fall within lower tiers of the CMMC to be able to implement it.
How do I choose the right CMMC compliance partner?
To understand more, you should first know the authorization class the contractor or vendor may fall under. CMMC partners are either classified as follows by the CMMC Accreditation Body (CMMC-AB):
C3PAOs or CMMC Third Party Assessor Organizations are companies authorized by the CMMC-AB to conduct and deliver CMMC assessments for organizations seeking compliance (OSCs). Essentially, C3PAOs are authorized by the DoD to assess your organization and then submit their findings and recommendations to the CMMC-AB. These findings and recommendations will ascertain whether your OSC complies with the CMMC maturity level your project or contract requires.
RPOs or Registered Provider Organizations on the other hand, provide consulting services to OSCs before they come under contract with a C3PAO. RPOs are authorized by the CMMC-AB to provide consulting services to help your organization prepare for its CMMC assessment.
Under the CMMC framework, organizations will likely require working with both a CP3PAO and an RPO. And while some CP3PAOs also qualify as RPOs, they may not conduct both services to the same client at once so as to prevent conflicts of interests. F1 Solutions is an RPO, so you may reach out to us for your CMMC advisory needs.
How ready is your organization to adhere with CMMC standards? Have your information system assessed through F1 Solutions’ CMMC readiness consultation. Contact us today to learn more.
F1 Solutions is a Registered RPO in the CMMC Market place and has several RP’s already credentialed