Summing It Up

Cybersecurity Compliance Requirements for DoD Contractors

Written by Zachery Ziolkowski | Tue, Oct 12, 2021 @ 03:00 PM

Certified compliance with the Cybersecurity Capability Maturity Model (CMMC) framework will be a go-no-go contract award criterion

The Cybersecurity Capability Maturity Model (CMMC) is a framework created in early 2020 for the 300,000 plus contractors conducting business, or who would like to conduct business, with the Department of Defense (DoD).

Essentially, CMMC is a set of mandatory cybersecurity requirements that all defense contractors must implement. Implementation must be validated, via CMMC audit, by an independent third party before contract award.

Contractors – primes and subs – should note that protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are go-no-go contract award criteria. Self-attestation is no longer acceptable.

Background of the CMMC Framework

The CMMC framework is largely based of off several other existing frameworks such as SP 800-171 Rev 2 (NIST), Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS 7012). The CMMC framework consists of 5 different levels across 17 different domains with over 171 practices.

The primary purpose of CMMC is to safeguard information that is classified as Federal Contracting Information (FCI) and Controlled Unclassified Information (CUI) throughout the DoD supply chain.

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) is defined as information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies. This is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Due to less controls and safeguards around CUI in comparison to information that is classified, this could lead to complications. This opens the doors for those who may try to take advantage of this type of information to ultimately cause harm to the United States and any allies.

CMMC Levels of Compliance

Level 1 (Basic Cyber Hygiene): At Level 1, only six (6) of the seventeen (17) domains are in scope and include seventeen (17) controls (practices).

Level 2 (Intermediate Cyber Hygiene): At level 2, fifteen (15) domains are in scope and include a total of 72 controls.

Level 3 (Good Cyber Hygiene): At level 3, seventeen (17) domains are in scope and include a total 130 controls.

Level 4 (Proactive): At level 4, seventeen (17) domains are in scope and include a total 156 controls.

Level 5 (Advanced / Progressive): At level 5, seventeen (17) domains are in scope and include a total 171 controls.

The CMMC framework levels build upon each other, starting from basic and going through to advanced. This will help companies obtain higher levels of the CMMC framework. A company can only be certified at levels 1, 3, and 5; however, level 2 and 4 are steppingstones to help facilitate jumping to the next certification level.

Additional detailed information can be found here.

All DoD Contractors Must be CMMC Certified by 2025

Will you be affected by the new CMMC framework?

If you are a contractor or vendor that works with the DoD, you will be subjected to the CMMC certification; however, you may not be subjected to CMMC right away. The Cybersecurity Capability Maturity Accreditation Board (CMMC-AB) has decided to take a phased approach starting with rolling out the new framework for those who currently doing business with the DoD.

As previously mentioned, your company can be certified at 3 different levels dependent upon the type of data you will receive or produce.

  • If your company receives FCI, you will be subjected to level 1 certification.
  • If your company obtains or creates CUI, you will be subjected to level 3 certification.

You will be able to determine this through the bidding process as it will state what level you need to be certified at.

Who will Assess your Company or CMMC Compliance?

The CMMC-AB and DoD have worked together to create procedures to accredit independent third parties called Certified Third-Party Assessment Organization (C3PAO). To become CMMC compliant you will have to pass an audit by a C3PAO.

Freed Maxick’s Third Party Readiness Review for CMMC Compliance Audit

Freed Maxick is a Registered Provider Organizations with a team of Registered Practitioners that will work with you and your organization to review your overall compliance with CMMC. By conducting a thorough examination of your organization’s IT environment and practices, we can help you navigate CMMC, identify weak areas in your current processes, and advise you on the most effective and efficient ways to prepare to become CMMC complainant.

If you think your company will be subjected to the CMMC framework and want to get more information from our cybersecurity consulting team on how to become CMMC compliant, please contact me at Zachery.Ziolkowski@freedmaxick.com or connect with me on LinkedIn.