Understanding CMMC Requirements for DoD Suppliers

Understanding CMMC Requirements

Understanding CMMC Requirements is critical for businesses of all sizes in the defense industry.  This need is becoming more urgent as final release of CMMC 2.0 is expected to occur in 2023.  Failure to achieve an appropriate level of Cybersecurity Maturity Model Certification in a timely manner may impede an organization’s ability to participate in Department of Defense (DoD) contracts.

The Importance of Establishing a Standard for Basic Cyber Hygiene

The defense industry supply chain is reliant on the flow of data through a vast number of networks both within and across multiple manufacturer’s systems.  Securing this data is essential for maintaining national security.  The rapid increase in cyber-espionage aimed at the industrial sector places this data at an increased risk.  While a number of cybersecurity approaches exist in the industrial sector, most are not appropriate or adequate for the protection of controlled and uncontrolled defense information.  

CMMC 2.0 has been developed as a means of implementing a risk based management approach with baseline requirements that are adaptive to changing cyber threats.  It also includes a certification process to ensure that organizations DoD contractors comply with CMMC.  This will allow for the integration of companies of all sizes and at all levels to maintain the resiliency and integrity of the defense manufacturing supply chain.

CMMC Levels of Compliance

As opposed to CMMC 1.0, CMMC 2.0 has three different levels of CMMC compliance.  While Level 3 compliance is reserved for programs that the DoD considers of high priority, Level 1 and 2 determinations are based on the type of information an organization is using, Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

As defined in 48 CFR 52.204-21, FCI refers to information provided or generated by the U.S. government that is not intended for public release.  This information is generally created in the development of a contract for a product or service. 

CUI as defined in 32 CFR 2002.4, is information that the U.S. government creates or possesses, or any information created for the Government, that is controlled by a law or regulation.  The CUI definition does not include classified information.  It would therefore include, unclassified information that falls under the jurisdiction of the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR).

CMMC Level Requirements

  • Level 1 (Foundational) applies to organizations that deal solely with FCI.  Level 1 requirements for cybersecurity are based on requirements detailed in FAR 52.204-21.  These 17 controls protect contractor information systems by limiting their access to authorized users.
  • Level 2 (Advanced) applies to organizations that work with CUI.  Level 2 requirements include the 14 levels and 110 controls contained in NIST 800-171.  
  • Level 3 (Expert) applies to organizations working on high priority projects critical to U.S. national security.  Level 3 will include the controls for Level 2 along with additional controls that have yet to be announced.  These controls will be designed to reduce the risk from Advanced Persistent Threats (APTs). 

CVG Strategy’s Experience and Commitment

CVG Strategy is committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure.  As industry leaders in cybersecurity, ITAR, and risk based management systems.  We have experience with companies of all sizes and understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.

Many organizations find it beneficial to integrate CMMC requirements into an Information Security Management System (ISMS) such as ISO 27001.  The basis of ISO 27001 requires ongoing risk assessment and asset management.

It requires information security incident management to anticipate and respond to information security breaches. It requires a regular and systematic internal audit to review that management. ISO 27001 also requires the implementation of training and awareness throughout the organization to create a code of practice.

An ISO Information Security Management System (ISMS) is a comprehensive approach to keep confidential corporate information secure. It encompasses people, processes and IT systems and helps your business coordinate your security efforts consistently and cost effectively.

Kevin Gholston

Share this post