Dayton Area Defense Contracts continue to hear about CMMC
If you have worked in the Defense industry for a long period of time, things like CMMC, DFARS, CUI, and NIST 800-171 may make sense or sound familiar. If you are not currently in Defense, or new to the industry and do not understand most of those acronyms and wish people would use words – then you are in the right place.
Ok, so what is CMMC? Cybersecurity Maturity Model Certification (CMMC) was created to ensure Defense Contractors and Sub-contractors are standardized on how to treat Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
At this point in time CMMC is not an official certification yet so DFARS (Defense Federal Acquisition Regulation Supplement) contract language will defer to NIST 800-171.
“More Acronyms?!?”
“Oh, yeah! Buckle in, there’s more!”
CMMC is being updated to 2.0 and should be out by May of 2023. By November 30, 2025, all contracts will be expected to include language that expects proof of CMMC certification for DoD contractors. With CMMC 2.0 coming out, there has been much confusion with many businesses in the Dayton area on what exactly has changed. Although nothing has been finalized, we wanted to cover some of the main updates they are looking to implement.
What’s New With CMMC
To start, CMMC 1.0 had 5 Tiers dependent on the level of information needing protected:
- Tier 1: Safeguard Federal Contract Information (FCI)
- Tier 2: Serve as transition step in cybersecurity maturity progression to protect CUI
- Tier 3: Protect Controlled Unclassified Information (CUI)
- Tiers 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)
CMMC 2.0 is leaning towards removing Tiers 2 and 4, leaving only three levels of certification. Level 1 will continue with safeguarding FCI. Level 2 will focus on protecting CUI, utilizing the NIST 800-171 framework. Level 3 will be the highest level, requiring the NIST 800-172 framework in addition to everything in the previous two levels.
The next major change is the process of getting certified. Originally, certification for every tier was going to require a third-party assessor, with no exceptions. Under 2.0, CMMC will allow self-assessments for Level 1 certifications, as well as allowing limited self-assessments at level 2 if approved by the CMMC Accredited Body. Most Level 2 certifications, and all Level 3 certifications, will require an assessment performed by a Certified Third-Party Assessment Organization (C3PAO).
The last major change has to do with waivers. In CMMC 1.0, in order to be certified, the organization had to meet all of the requirements at the time of the audit. The proposed updates for 2.0 will now allow for waivers under certain circumstances. If a contractor fills out a Plan of Actions and Milestones (POA&M), detailing the plans to address the areas that were not in full compliance, then the CMMC governing body may allow a waiver in granting certification.
Final Pieces of Information to Think About
According to the DFARS Case 2019-D041, “By October 1, 2025, all entities receiving DoD contracts and orders, other than contracts or orders exclusively for commercially available off-the-shelf items or those valued at or below the micro-purchase threshold, will be required to have the CMMC Level identified in the solicitation, but which at minimum will be a CMMC Level 1 certification.”
DoD contractors who handle Controlled Unclassified Information (CUI) are already required to self-certify compliance with the NIST SP 800-171 set of cybersecurity best practices.
If you have not already started this process, now would be a good time to get started…ESPECIALLY if you already handle CUI. Level 2 of CMMC can be extensive, but it begins with a Risk Assessment. Although sefl-assessments can be conducted, unless you are extremely familiar with information security termonlogy and how to ascertain what a control is requiring, we strongly recommend teaming up with a firm familiar with CMMC and the NIST 800-171 framework. If you have already completed a Risk Assessment, it is recommended to have a POA&M generated that identifies areas that need to be addressed and the timeline to complete those milestones.
There is plenty more details and information that can be supplied, but I recommend finding a good company that can walk you through the process, answer your questions accurately, and help with milestone implementation (I hear good things about LMS). I want to credit https://cmmcaudit.org with the information provided and refer you there if you really want to drill down on this topic. For some background information on CMMC, review our original CMMC blog HERE.
If you have any questions regarding CMMC or Information Security, please don’t hesitate to reach out to LMS at 937-912-9045 or through our website Contact Page.