The Cybersecurity Maturity Model Certification (CMMC) is a new cybersecurity protocol that has been put in place for the Department of Defense (DoD) contractors. Although it was officially launched in January 2020, it is still in the process of being rolled out and enacted, so constant updates are being made.
DoD contractors need to stay up to date with updates and developments relating to CMMC and DFARS compliance in order to remain eligible for contracts and stay compliant with the industry’s cybersecurity requirements.
What Is the Basic Structure of CMMC?
CMMC outlines five levels of maturity contractors can achieve. Depending on the information a business handles and the specific projects they work on, they may be required to achieve a higher level of certification.
Level 1: At this level, an organization carries out a minimum of 15 “basic cyber hygiene” practices to safeguard Federal Contract Information (FCI). These requirements are outlined in 48 CFR 52.204-21 and FAR 52.204-21.
Level 2: This level adds 55 practices to protect FCI.
Level 3: Beginning at this level, security is aimed at protecting CUI in addition to FCI. In the transition from level 2 to 3, the DoD contractor must implement another 58 controls of the NIST 800-171 rev1 security requirement. The organization will carry out “intermediate cyber hygiene” practices, such as incident response and regular data backup and testing.
Level 4: Here, practices are reviewed and measures for the effectiveness of their security practices. The DoD contractor will implement 26 additional controls of NIST 800-171.
Level 5: Contractors must meet a final 15 requirements outlined in 48 CFR 52.204-21 and FAR 52.204-21 to achieve the highest level of CMMC maturity certification.
What Is the Interim Rule, and What Does It Mean?
One significant development in CMMC came in the form of the Interim Rule, which was released on September 29th.
Because it will take up to five years to completely implement new CMMC regulations, the Interim Rule was introduced to supplement current DFARS regulations by integrating some of the standards that will be required for CMMC. Its purpose is to enhance the protection of unclassified information within the DoD supply chain as soon as possible.
Among the changes enacted by the Interim Rule include necessitating a scored self-assessment and publishing it to the Supplier Performance Risk System (SPRS) by November 30 in order to remain eligible for contracts, and the announcement of increased random audits. In these audits, contractors will be assessed on either Basic, Medium or High, depending on which level the contractor has implemented the security measures outlined.
So what does this mean for DoD contractors? Tim Brennan of SysArc, a Managed Security Service Provider that helps DoD contractors prepare for CMMC and understand the new DFARS Interim Rule, says, “Every DoD contractor needs to take immediate action to get a new, scored assessment, even if you’ve had an assessment performed recently.”
What to Do Now
The most important thing for contractors to do is get up to date with the Interim Rule requirements by completing and reporting a scored assessment, and then to continue with the updates through regular assessments. Be sure to publish your assessment before December 1st, as it will then be required for all contractors with a DFARS 252.204-7012 clause in their agreement and to remain eligible for future contracts.