This blog was update on November 11th to include updates from the CMMC-AB Town Hall.
DoD’s Office of the Under Secretary of Defense for Acquisition and Sustainment recently issued a long-awaited statement regarding updates to its Cybersecurity Maturity Model Certification (CMMC) program. The DoD introduced CMMC 2.0, streamlining the CMMC program via a significant set of changes including lowering the number of CMMC levels from 5 to 3, dropping all maturity requirements, and allowing more self-attestation of compliance and POAMs, as shown in the image below. To help make sense of these developments, we share here PreVeil’s perspective on the CMMC changes, along with recommendations for any DIB company on how best to move forward.
The most important takeaway from the shift to CMMC 2.0 is that DFARS 252.204-7012, NIST SP 800-171, and ITAR remain the law of the land and are required for handling CUI or ITAR data in the performance of many DoD contracts. Incident reporting, forensic snapshots, FIPS 140-2 encryption, and all 110 NIST 800-171 controls are required in full effect for companies handling CUI or ITAR data.
The DoD also announced plans to strengthen the basis of the CMMC program by aligning CFR (Code of Federal Regulations) language with DFARS. That is, CMMC 2.0 will remove any ambiguities stemming from DFARS Interim Rule 2019-D041, Clause 7021, which had previously been relied upon to implement CMMC. Codifying CMMC 2.0 through the federal rulemaking process will provide the clarity needed to effectively enforce and measure cyber compliance across all commands and agencies.
While we wait for CMMC 2.0 to make its way through the DoD rulemaking process, remember that the DFARS remains in force. Just like the IRS can audit a taxpayer, the DIBCAC (Defense’s Defense Industrial Base Cybersecurity Assessment Center) could select a contractor for a NIST 800-171 audit. You will want to be sure that your company is implementing adequate data protections and is on a path toward achieving a good NIST 800-171 score, which now must be filed in the DoD’s SPRS (Supplier Performance Risk System) system.
Have you seen the Department of Justice’s new Civil Cyber-Fraud Initiative to hold contractors accountable for cybersecurity? DoJ is now utilizing the power of the False Claims Act to help enforce cybersecurity compliance, and is encouraging whistleblowers to come forward. A new task force will focus on investigating reports of contractors choosing to withhold reports of breaches or falsify claims of compliance scores. DCMA (Defense Contract Management Agency) is already enforcing DFARS compliance via DIBCAC audits. Further, prime contractors have a huge stake in making sure their suppliers are representing their security programs accurately–and taking action by dismissing those that do not.
On the November 9th CMMC-AB Town Hall, AB and DoD officials offered further clarification and details on CMMC 2.0. There were 5 main takeaways from this discussion:
PreVeil’s file sharing and secure messaging features protect your CUI with unmatched security and can facilitate your compliance journey. In a recent case study, a PreVeil customer underwent a DIBCAC high audit for NIST 800-171 and achieved a near perfect 109 out of 110 score using PreVeil as an essential part of their overall cybersecurity program. Using PreVeil’s platform enabled the customer to meet over 80 of the 110 NIST 800-171 controls. Under the new rules of CMMC 2.0, the organization would have achieved CMMC 2.0 level 2 compliance with minimal additional work.
DoD’s requirements to protect CUI are still very much in effect while CMMC 2.0 works its way through the federal rulemaking process. Noncompliance carries significant enforcement and business risks. Without question, companies that do work for the DoD need to keep up with their compliance initiatives and continue to raise their NIST 800-171 scores towards 110.
Now is the time to implement a DFARS compliant cybersecurity program—contractors won’t have time to react later when CMMC 2.0 becomes law, or when an audit is coming their way. Companies that are prepared and compliant will have competitive advantages when contracts are awarded, new rules emerge, or audits happen.
Realization of CMMC 2.0 will take time, but until then, data protection remains a top priority for national security. Defending the DIB’s attack surface and protecting data from our nation’s adversaries remains a never-ending challenge well worth the effort required.