The Department of Defense (DoD) has proposed a Defense Federal Acquisition Regulation Supplement (DFAR) amendment for contractor implementation of Cybersecurity Maturity Model Certification (CMMC). DFARS case 2019-D041 was first published in September 2020 with an effective date of November 20, 2020 to allow for the development of CMMC 2.0. CMMC 2.0 establishes a framework for assessing the implementation of contractor cybersecurity requirements to protect Controlled Unclassified Information (CUI) in the defense industrial base supply chain.
Proposed Rule Changes
The proposed rule changes include requirements for contractors to achieve and maintain a requisite level of CMMC security for the duration of a contract. The contractor will be required to annually affirm continuous compliance with security requirements for all information systems used in the performance of the contract that will store, process, or transmit Federal Contract Information (FCI) or CUI and report in the any changes or incidents within 72 hours.
The changes include requirements for contracting officers to require that the results of current CMMC certification or self-assessment to be at a minimum level for the consideration of a contract. These required levels are to be provided to offerors through the Supplier Performance Risk System (SPRS). Apparently successful offerors will then be required to applicable DoD Unique Identification (UIDs) for all FCI or CUI information systems. Offerors will not be eligible for award of contract if they do not have a CMMC certificate or self-assessment entered int the SPRS.
In addition, contractors must include a contract clause detailing the requirements of this DFAR in contractual documents to lower tier subcontractors and suppliers to ensure information security throughout the supply chain.
Public Comments in Response to Rule Changes
As has been the case since the initial roll out of CMMC, concern has been raised as to the impacts of these rule on small businesses that comprise a significant percentage of the DoD supply chain. The DoD has responded to this concern by pointing out that the CMMC is to implement a phased roll-out and that these requirements are expected to apply to only about one-thousand small businesses in the first year.
Various comments inquired as to how contractors are to know what CMMC requirements are. The responses stated that requirements will be identified in the solicitations and contracts unless the contract is exclusively for Commercial Off the Shelf items (COTS).
There was some concern as to a uniform definition of Controlled Unclassified Information. The DoD is referring concerned parties to CFR Part 2002 Controlled Unclassified Information (CUI) for clarification.
Phased Implementation of CMMC
The expected phased implementation of the CMMC is expected to take three years. During this period a number of phases will be implemented. Emphasis will be placed on CMMC levels one and two in the initial phases with the DoD include level three requirements later on. There have been numerous alterations and pauses in this process and the end results will have consequences for many organizations.
CVG Strategy Information Security Management System Consultants
To assist businesses to meet the challenges in meeting DFAR amendments for contractor implementation, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system. This provides a coherent methodology for implementing and maintaining essential cyber security for businesses of any size.
We can help you meet your information security management system goals. CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors. We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more.
Identify Areas With CUI with CVG Strategy Signs
CVG Strategy also provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where products are being produced or services are being performed that are under the control of the U.S. Department of State Directorate of Defense Trade Controls (DDTC) and are subject to the International Traffic in Arms Regulations per title 22, Code of Federal Regulations (CFR), Parts 120-130.