The Department of Defense (DoD) has released its Cybersecurity Maturity Model Certification (CMMC) final rule. This rule will now require contractors to verify that required security measures have been implemented for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). These requirements will are to be implemented in early to mid-2025 when verification of security controls will appear as a condition in Requests for Proposals (RFP). It can be expected that these information security requirements will quickly flow down to subcontractors.
CMMC Three Levels of Compliance
There are three defined levels of CMMC security compliance requirements for defense industrial base contractors.
Level 1
Level 1 requirements apply to contractors handling Federal Contract Information (FCI). FCI is information provided or generated by the U.S. government that is not intended for public release that has been created under contract in reference to the provision of a product or service. Requirements for Level 1 compliance are defined in Federal Acquisition Regulation 52.204-21.
Level 2
Level 2 requirements apply to contractors that handle Controlled Unclassified Information (CUI). CUI is unclassified information required by or possessed by the U.S. government. CUI controls as specified in NIST SP 800-171, are required to prevent the release of information pertaining to defense and national security.
Level 3
Level 3 requirements apply to contractors engaged with critical programs or high value assets. Contractors falling in this category must meet all requirements of Levels 1 and 2 CMMC and meet 24 additional requirements specified in NIST SP 800-172.
The potential effective dates for final implementation of this Cybersecurity Maturity Model Certification (CMMC) Program structure are March of 2025 for Levels 1 and 2, and March of 2028 for Level 3.
Cybersecurity Certification
The DoD has relied on a system of contractor self affirmations for cybersecurity requirements. This has been seen as largely ineffective given the active level of threat presented by foreign adversaries. This CMMC final rule will now require verification through Third-Party Assessment Organizations (C3PAOs) that organizations are compliant with NIST SP 800-171, rev. 2 requirements.
Concerns for Contractors and Subcontractors
There are numerous concerns for businesses in the defense industry that are in the process of implementing required controls. Firstly, implementing an effective information security program is an involved process that requires a considerable amount of time and capital. This is having a disproportional impact on smaller subcontractors.
Secondly, there are insufficient numbers of personnel qualified for critical roles in an information security program. Additionally, that even if a business is prepared for certification, that there is an insufficient amount of C3PAOs to assess them.
Presently, many contractors are already rolling out requirements to subcontractors ahead of final CMMC implementation. This raises concerns that businesses may drop out of the already shrinking defense industrial sector.
Changes Implemented in the Final Rule
- Requirements were removed for External Service Providers (ESP) that do not process, store, or transmit CUI for meeting FedRAMP requirements of DFARS 252.204-7012. ESPs are third-parties that deliver services affecting the confidentiality, integrity, or availability of DoD CUI. This provision applies to both ESP that provide cloud services and those that do not.
- Definitions were added to the CMMC for temporary deficiencies and enduring exception. These terms provide contractors to address security requirements not yet in place through a Plan of Action and Milestones (POA&M).
- Reassessments are now required for organizations undergoing Mergers and Acquisitions (M&A). New assessments would evaluate significant architectural or boundary changes to systems handling CUI.
CVG Strategy Information Security Management System Consultants
CVG Strategy can assist your organization meet the challenges in meeting the CMMC final rule. We are dedicated to helping small businesses navigate federal regulations and contract requirements for Quality Management, Cybersecurity, Export Compliance, and Test and Evaluation. We can help you meet your information security management system goals. CVG Strategy QMS experts can provide the training required to understand and engage in a ISMS and make it meet desired objectives.
Identify Areas With CUI with CVG Strategy Signs
CVG Strategy provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where products are being produced or services are being performed that are under the control of the U.S. Department of State Directorate of Defense Trade Controls (DDTC) and are subject to the International Traffic in Arms Regulations per title 22, Code of Federal Regulations (CFR), Parts 120-130.