If you’re a company in the Defense Industrial Base (DIB), you need to know about the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program. Introduced in 2019, CMMC will go into effect in May 2023.
But first: what is the CMMC program? It’s the DoD’s response to increased cyber risk due to the loss of Controlled Unclassified Information (CUI) from the DIB. The CMMC is designed to standardize cybersecurity standards throughout the DIB and better secure CUI.
The Department of Defense initially released v 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework in January 2020. The goal of the document was to ensure appropriate levels of cybersecurity practices and processes were in place to protect federal contact information (FCI) and controlled unclassified information (CUI).
Since the release of 1.0, CMMC has undergone significant revisions. Today’s CMMC 2.0 is expected to go into effect in May 2023 and be in contracts by July 2023.. That means you have a short time to get your house in order, so that you can remain competitive in the DIB. This blog to help you get started. This post will provide an overview of CMMC 2.0, its practices and levels, and what you need to know to get started with your compliance journey.
The DoD introduced its CMMC initiative in mid-2019 and released CMMC 1.0 in early 2020. The initial program called for external audits of each and every one of the hundreds of thousands of companies doing work for the DoD —all within five years.
SMBs quickly pushed back. Hundreds of public comments expressed concerns about the complexity of the CMMC framework. The costs of compliance and third-party certification would force SMBs out of the DIB.
Congressional hearings followed, and in November 2021 DoD released its much-streamlined CMMC 2.0 model. The new program focuses on reducing costs for SMBs and aligning cybersecurity requirements with other federal requirements. The DoD reshaped CMMC to follow a security-first approach that would be accessible even to smaller companies.
CMMC 2.0 differs from 1.0 in the following key ways:
CMMC 2.0 no longer requires third-party assessments for level 1. Those defense contractors and subcontractors that only manage FCI can self-attest their cybersecurity compliance.
Further, unlike the original framework, the CMMC 2.0 model allows limited use of Plans of Actions and Milestones (POAMs). At the time of assessment, an organization can submit a POA&M in lieu of meeting certain non-critical security controls. POAMs will only be accepted for 1 point controls. POA&Ms will not be accepted for those controls worth 3 or 5 points.
CMMC 2.0 lowers the number of CMMC levels from five to three. It does this by cutting the old levels 2 and 4, which were originally developed as transition levels. The new CMMC 2.0 levels are based on the type of information DIB companies handle.
Unlike CMMC 1.0, which required all DoD contractors to undergo third-party assessments for CMMC compliance, CMMC 2.0 assessment requirements will be based on the type of information DIB companies are working with as illustrated in the figure below.
Companies seeking Level 1 requirements will not require 3rd party certification. Instead, the contractor must specify the people, technology, facilities and external providers within their environment that process, store or transmit FCI. Companies will be required to self-certify once per year that they meet the basic safeguarding requirements for FCI specified in FAR clause 52.204.21
The DoD has clarified its initial statements that it will bifurcate level 2 requirements. As it is understood now, a significant majority of organizations seeking Level 2 defense contractors will need to undergo third-party assessments once every three years. Those assessments will be conducted only by accredited C3PAOs (CMMC Third Party Assessment Organizations) or certified CMMC Assessors. A very small number of organizations will be allowed to perform self-assess.
Once the new CMMC 2.0 Assessment Guide is released, the CMMC-AB (CMMC Accreditation Body) will resume training C3PAOs and CMMC Assessors, as well CMMC consultants. Contractors will be fully responsible for obtaining and coordinating the requisite needed assessment and certification.
After the completion of the CMMC assessment, the C3PAO will provide an assessment report to the DoD. Again, requirements for Level 2 align completely with NIST SP 800-171. Remember that self-assessment of NIST SP 800-171 compliance has been required since 2017 for contractors subject to DFARS 252.204-7012. In addition, as of November 2020, scores must be reported to the DoD’s SPRS (Supplier Performance Risk System).
As of December 2021, the DoD was still working on the details of the bifurcation of Level 2. DoD officials have made clear that they do not plan to create a different class of CUI. Examples of contracts provided by DoD for self-assessment are designing military uniforms or boots, both of which involve CUI but not sensitive national security information. Examples of Level 2 work that would require triennial C3PAO assessments are developing parts for a weapons system, or for a command and control communications system.
Those companies seeking Level 3 (Expert) compliance will need to meet the security requirements specified in NIST SP 800-171 plus a subset of requirements specified in NIST SP 800-172. The DoD is still in the process of determining how organizations seeking level 3 compliance will be assessed. However, those companies will require a DIBCAC audit to achieve compliance.
The DoD’s Stacy Bostjanik recently announced that the likely date of CMMC interim rule is May 2023. CMMC 2.0 will go into contracts in July 2023.
While updated contracts are phased to begin between 2023-2026, there is no reliable way for companies to predict which group they’ll fall into. This means that all 80,000 businesses in the DIB who handle CUI should plan to be compliant with CMMC Level 2 by July 2023.
The cost of CMMC compliance depends on a number of factors.
The more employees you have in your assessment scope, the higher you can expect your costs to be.
If you’re starting from scratch, your compliance journey will cost more, and take longer, than a company that’s further along in their process to start with. Things to consider include documentation development, technology implementation, and what processes and procedures are already documented and in use.
Achieving CMMC compliance will take a combination of policy and technology. The more technology you still have to implement, the greater your costs.
For most organizations, consulting costs will make up the bulk of your budget. This includes policy, procedure, documentation creation, and Gap Analysis. You should expect to spend $5,000-$25,000 on consulting costs alone as a SMB.
Technology solutions, including managed services, are the next biggest chunk. Expect to spend $1,000-$2,500 per month.
Your CUI technology solution will make up the rest of your budget, costing $30-$80 per user per month.
If you’re a defense contractor looking to start your CMMC compliance journey, you should look to meet the 110 controls in NIST 800-171. Don’t procrastinate. Preparation to meet these controls can take up to 18 months.
PreVeil’s encrypted Drive and Email support compliance with virtually all the new CMMC Level 2 requirements related to the communication and storage of CUI. In contrast, most widely-used commercial systems used to store and share CUI do not comply with the Level 2 requirements. Organizations using those standard commercial solutions will need to adopt new platforms to improve their cybersecurity, achieve CMMC Level 2, and win DoD contracts.
PreVeil Drive and Email can help your organization achieve NIST SP 800-171 compliance and, when the time comes, CMMC Level 2 certification — a straightforward step given that the new Level 2 requirements will mirror NIST SP 800-171. PreVeil also helps your organization comply with other federal cybersecurity regulations including DFARS 252.204-7012 and ITAR 120.54.
The new CMMC’s cybersecurity standards will better arm the DoD in its efforts to defend against cyberattacks that threaten U.S. advantages in the military, technological and commercial realms. But it’s clear that the DoD cannot wait for CMMC 2.0 to be implemented to improve cybersecurity in the DIB. While the new CMMC 2.0 model works its way through the federal rulemaking process, enforcement of federal cybersecurity regulations governing defense contractors has stepped up.
A key target for enforcement is NIST SP 800-171, which has stipulated security controls necessary to protect CUI since 2017. Compliance with NIST SP 800-171 now will smooth your company’s path to the new Level 2 Advanced, which matches its 110 controls perfectly, when CMMC 2.0 becomes law.
It is important that organizations handling CUI and seeking future DoD contracts get started on the compliance path. Even as the final CMMC 2.0 ruling is winding its way through DoD, NIST 800-171 continues as the standard which organizations must seek to comply with. If you’re a defense contractor, or plant to seek DOD contracts that may include CUI, you need to get started with your NIST compliance path today.
To learn more about how PreVeil’s state-of-the-art platforms can help your organization , please contact us at preveil.com/contact or (857) 353-6480.