DoD Contractor CMMC Requirements
DoD Contractor CMMC Requirements are Mandatory for Primary Contractors and Subcontractors
Department of Defense (DoD) contractor CMMC requirements have been in development since 2015 in an on going effort to safeguard Controlled Unclassified Information (CUI). In 2020 the Defense Acquisition Federal Regulation Supplement (DFARS), mandated that private DoD Contractors adopt cybersecurity standards according to the NIST SP 800-171 cybersecurity framework as an interim measure until the Cybersecurity Maturity Model Certification (CMMC) is finalized.
This change has left many businesses either unprepared or under-prepared in establishing sufficient cyber security protocols to engage in Department of Defense contracts. This is especially the case for smaller companies involved in subcontracting.
2020 Requirements Under NIST SP 800-171
The interim ruling, DFARS 252.204-7012 Interim Rule, places a requirement for vendors to complete security compliance with NIST SP 800-171 DoD assessment methodology. This assessment is to be completed by the contractor before DoD contracts can be awarded. This was enacted to improve information security until official CMMC release.
This assessment is based on a scoring methodology of security requirements. The methodology is comprised of three levels (basic, medium and high). The interim rule requires a basic level self-assessment to be completed by the contractor. Medium or high assessments must be completed by the government.
The assessment is to be submitted through the Supplier Performance Risk System (SPRS). The SPRS is the DoD’s web-enabled enterprise system for DoD supply chain entities.
Support for Current Requirements
Many DoD subcontractors have sought guidance in the self assessment process to meet the immediate requirements of the DFARS ruling. CVG Strategy can provide assistance in this involved process and provide initial assessments for an organization’s basic cyber hygiene. Once that assessment score has been surmised and submitted we can then provide a framework for initiating improvement of that score for competitive advantage in future contract bids.
Requirements Under CMMC 2.0
- Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self-assessment.
- Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 This is a set of security practices and security standards for non-governmental organizations that handle CUI. It requires that a third-party assessment by conducted every three years for information deemed critical for national security. It also requires an annual internal assessment
- Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 cybersecurity standard and includes further controls. There is also a requirement for triennial assessments conducted by government representatives.
Each of these levels require an organization to have a minimum number of controls in place. To verify compliance an organization will need to be audited by a certified third party assessor organization (C3PAO).
CMMC is currently comprised of 171 controls involving people, processes, and technology. These include controls for access, configuration management, incident response, media protection, and situational awareness among others. While having these controls in place is essential, CMMC does not provide a means for effective management of these controls.
Establishing an Effective CMMC Program
To effectively manage a large array of institutional cybersecurity controls, an Information Security Management System (ISMS) is required. An Information Security Management System is a collection of policies, procedures, and controls that systematically address information security in an organization. It is a framework based on risk assessment and risk management.
The most widely recognized and instituted ISMS in the business environment is ISO 27001. It shares many of the features of a quality management system such as ISO 9001. As such it provides a management system to document policies and processes that define objectives for the establishment of the security controls based on the specific requirements of an organization’s risk profile.
This documentation of security controls is especially important, as it will likely be the first item to be inspected in a CMMC audit. Having a clearly defined system with defined objectives will help an organization through the certification process.
CVG Strategy has implemented integrations of ISO 27001 into CMMC programs for defense contractors. As certification for ISO 27001 is not a requirement for CMMC this integration does not incur additional expense. It instead provides for a means of maintaining, monitoring, and reviewing the information security program from a risk management perspective.
Advantages of ISO 27001 Implementation
The basis of ISO 27001 requires ongoing risk assessment and asset management. It requires information security incident management to anticipate and respond to information security breaches. It requires a regular and systematic internal audit to review that management. ISO 27001 also requires the implementation of training and awareness throughout the organization to create a code of practice.
An ISO Information Security Management System (ISMS) is a comprehensive approach to keep confidential corporate information secure. It encompasses people, processes and IT systems and helps your business coordinate your security efforts consistently and cost effectively. ISO 27001 (ISO/IEC 27001) is the standard that will help a company not only develop this ever-important Information Security Management System, but it will help ensure the ISMS is integrated, comprehensive and incorporates internationally recognized best practices.
CVG Strategy Cybersecurity Solutions
CVG Strategy is committed to helping businesses protect the United State’s controlled unclassified information by helping them meet DoD contractor CMMC requirements by establishing effective cybersecurity programs. We know that viable solutions include all stakeholders in an enterprise. They include people, policies, procedures, risk analysis, incident responses, and an internal auditing process that yields constant improvement.
How Can We Help?
CVG Strategy provides expertise to businesses in Quality Management, Product Test and Evaluation, Cybersecurity, and Export Compliance. Learn more about how we can help develop your organization’s potential by contacting us today.