What DIB Companies Need to do While We Wait for CMMC 2.0

This blog was update on November 11th to include updates from the CMMC-AB Town Hall.

DoD’s Office of the Under Secretary of Defense for Acquisition and Sustainment recently issued a long-awaited statement regarding updates to its Cybersecurity Maturity Model Certification (CMMC) program. The DoD introduced CMMC 2.0, streamlining the CMMC program via a significant set of changes including lowering the number of CMMC levels from 5 to 3, dropping all maturity requirements, and allowing more self-attestation of compliance and POAMs, as shown in the image below. To help make sense of these developments, we share here PreVeil’s perspective on the CMMC changes, along with recommendations for any DIB company on how best to move forward.

It’s still all about protecting the data

The most important takeaway from the shift to CMMC 2.0 is that DFARS 252.204-7012, NIST SP 800-171, and ITAR remain the law of the land and are required for handling CUI or ITAR data in the performance of many DoD contracts. Incident reporting, forensic snapshots, FIPS 140-2 encryption, and all 110 NIST 800-171 controls are required in full effect for companies handling CUI or ITAR data.
The DoD also announced plans to strengthen the basis of the CMMC program by aligning CFR (Code of Federal Regulations) language with DFARS. That is, CMMC 2.0 will remove any ambiguities stemming from DFARS Interim Rule 2019-D041, Clause 7021, which had previously been relied upon to implement CMMC. Codifying CMMC 2.0 through the federal rulemaking process will provide the clarity needed to effectively enforce and measure cyber compliance across all commands and agencies.

Audits are not going away

While we wait for CMMC 2.0 to make its way through the DoD rulemaking process, remember that the DFARS remains in force. Just like the IRS can audit a taxpayer, the DIBCAC (Defense’s Defense Industrial Base Cybersecurity Assessment Center) could select a contractor for a NIST 800-171 audit. You will want to be sure that your company is implementing adequate data protections and is on a path toward achieving a good NIST 800-171 score, which now must be filed in the DoD’s SPRS (Supplier Performance Risk System) system.

Remember, too, that CMMC will be back upon completion of the rulemaking process—and so will third-party assessments for at least some contractors. The bottom line is that it makes a lot of sense to stay in compliance with the current rules while keeping an eye on the future rules that lie ahead.

Enforcement is real

Have you seen the Department of Justice’s new Civil Cyber-Fraud Initiative to hold contractors accountable for cybersecurity? DoJ is now utilizing the power of the False Claims Act to help enforce cybersecurity compliance, and is encouraging whistleblowers to come forward. A new task force will focus on investigating reports of contractors choosing to withhold reports of breaches or falsify claims of compliance scores. DCMA (Defense Contract Management Agency) is already enforcing DFARS compliance via DIBCAC audits. Further, prime contractors have a huge stake in making sure their suppliers are representing their security programs accurately–and taking action by dismissing those that do not.

November 9th Town Hall

On the November 9th CMMC-AB Town Hall, AB and DoD officials offered further clarification and details on CMMC 2.0. There were 5 main takeaways from this discussion:

  1. Audits are not dead. DCMA DIBCAC audits are ongoing and the DCMA can decide to conduct an audit for whatever reason it deems necessary. Once CMMC 2.0 is adopted, third-party C3PAOs will audit essential Level 2 contracts that have prioritized acquisitions.
  2. For non-prioritized Level 2 contracts, a company officer will need to sign off on the organization’s self-assessment and confirm that it meets the 110 NIST 800-172 controls. If the officer falsely states compliance, the organization is liable under the False Claims Act and can be pursued by the Department of Justice.
  3. POAMs will not be allowed for the highest weighted level 2 controls. For example, organizations will not be able to create a POAM for AC 3.1.13: “cryptographic mechanisms to protect the confidentiality of remote access sessions” which has an SPRS score of 5. However, an organization could create a POAM for AC 3.1.8 “limiting unsuccessful logon attempts” which has an SPRS weight of 1. Importantly though, if a POAM is created, it must be closed within 180 days.
  4. Organizations that handle any type of CUI will require Level 2 certification. That means, they need to take appropriate steps to ensure CUI is protected with FIPS 140-2 validated modules. Furthermore, if the organization is using cloud services, they need to ensure the provider meets FedRAMP Moderate Baseline Equivalent and DFARS c-g.
  5. Any organization that is currently handling CUI is already required to meet DFARS 7012, which includes the 110 controls in NIST 800-171. Organizations that are not fully compliant, should focus on closing out POAMs related to those controls.

PreVeil can boost your score and protect your data

PreVeil’s file sharing and secure messaging features protect your CUI with unmatched security and can facilitate your compliance journey. In a recent case study, a PreVeil customer underwent a DIBCAC high audit for NIST 800-171 and achieved a near perfect 109 out of 110 score using PreVeil as an essential part of their overall cybersecurity program. Using PreVeil’s platform enabled the customer to meet over 80 of the 110 NIST 800-171 controls. Under the new rules of CMMC 2.0, the organization would have achieved CMMC 2.0 level 2 compliance with minimal additional work.

Conclusion – CMMC 2.0 reinforces strategy to move ahead with NIST 800-171

DoD’s requirements to protect CUI are still very much in effect while CMMC 2.0 works its way through the federal rulemaking process. Noncompliance carries significant enforcement and business risks. Without question, companies that do work for the DoD need to keep up with their compliance initiatives and continue to raise their NIST 800-171 scores towards 110.
Now is the time to implement a DFARS compliant cybersecurity program—contractors won’t have time to react later when CMMC 2.0 becomes law, or when an audit is coming their way. Companies that are prepared and compliant will have competitive advantages when contracts are awarded, new rules emerge, or audits happen.
Realization of CMMC 2.0 will take time, but until then, data protection remains a top priority for national security. Defending the DIB’s attack surface and protecting data from our nation’s adversaries remains a never-ending challenge well worth the effort required.