Data security is an enormous point of interest for the United States government. With the ever-changing landscape of cyber threats, data protection is a necessity at the federal level. Security expectations also extend to the Defense Industrial Base (DIB) sector.
With this in mind, the federal government has established internal legislation and mandates to protect their data when working with government contractors. Two examples are the Defense Federal Acquisition Regulation Supplement (DFARS) and the Cybersecurity Maturity Model Certification (CMMC).
While DFARS 252.204-7012, is titled “Safeguarding Covered Defense Information and Cyber Incident Reporting” has been a standard for government contractors since 2017, CMMC is a newer framework established in 2020. Here, we’ll cover the essential points government contractors need to know about DFARS and CMMC, including their differences and what changes to expect with CMMC.
Controlled Unclassified Information (CUI) is data that is not secret but must still be protected from public access. Before broad legislation was enacted, agencies working for the government implemented their own controls to protect CUI datasets. To combat lack of consistency, the government enacted Executive Order 13556 in November 2010 to create a set of best practices and standards for managing CUI datasets. However, this legislation led to confusion as to how to share datasets across agencies.
To resolve the issues with Executive Order 13556, the National Institute of Standards and Technology (NIST) established the NIST Special Publication 800-171, titled “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.” The standard set clear expectations for minimum security controls for contractors’ information systems. This NIST publication was made a requirement in December 2015 with DFARS.
The primary goal of DFARS legislation was to create a set of best practices and standards that applied to both civilian and defense agencies working with the federal government in the DIB sector. As of December 31, 2017, DFARS compliance is mandatory for any contractors that store or transmit CUI datasets, or else they risk losing their contracts. These minimum requirements are summarized below:
Implementing the safeguarding and reporting processes allows contractors working with the DOD to protect their data. But the cybersecurity landscape is constantly changing, and the standards for CUI dataset management have had to change with it.
The loss of CUI from federal agencies and contractors has become an increased risk in recent years, posing a threat to national security. At a global level, malicious cyber activity is expected to cost the global economy up to $6 trillion USD in 2021, and the cost is expected to increase in the coming years. Businesses are prime targets for cyberattacks, and some of those businesses contract with the U.S. government, storing CUI datasets. Risks to these businesses present a risk to national security, which became all too clear in 2020.
Cybersecurity for government contractors gained renewed scrutiny with the breach of SolarWinds in 2020. The network management company provided software-based network management for thousands of customers, including several U.S. agencies. In 2020, it was found that Russia’s SVR intelligence agency had gained access to the company’s data. While the U.S. Cybersecurity and Infrastructure Security Agency immediately took action to halt use of the compromised software across government agencies, several agencies, including the Commerce Department and the Department of Homeland Security, were affected by the breach.
The SolarWinds breach serves as a stark reminder that cybersecurity is a constant looming threat, and government contractors must remain vigilant for the sake of national security. For these reasons, the U.S. government introduced CMMC.
CMMC is a standard that unifies the implementation of cybersecurity measures across the DIB sector. Introduced in January 2020, the CMMC incorporates preexisting legislation from DFARS and NIST SP 800-171 and enhances it, creating a unified set of cybersecurity best practices. As a whole, the CMMC serves as a scalable framework for assessing and enhancing the cybersecurity of the sector and assuring the U.S. government adequate protections.
Like DFARS, the CMMC sets security requirements for government contractors across several domains, though the CMMC defines 17 domains instead of the 14 in DFARS. The CMMC also defines 43 capabilities and 171 practices distributed across these 17 domains. Not all companies need to demonstrate these capabilities and practices — instead, they are required based on the maturity level required for the company in question.
That brings us to the topic of maturity levels, which is one of the biggest changes under CMMC. The new standards under CMMC include a hierarchy of maturity levels, which represent the different levels of data security that government contractors must implement. In the future, government agencies will define the appropriate CMMC maturity level for their needs, which contractors will need to meet before they bid on a contract. These levels are summarized below:
Now that we’ve defined the regulations, the question becomes what is the difference between CMMC and DFARS? CMMC and DFARS goals overlap quite a bit. In fact, the CMMC is heavily based on DFARS. The CMMC and DFARS objectives primarily target government contractors and subcontractors working within the DIB sector, and both are heavily based on NIST 800-171.
So, what makes DFARS and CMMC different? The differences between DFARS and CMMC come down to implementation and assessment. Some of the key differences are highlighted below:
CMMC is still in the process of rolling out, but the question on many contractors’ minds is will CMMC replace DFARS? The short answer is no. The release of CMMC does not mean that DFARS is going away. All DOD contractors working with CUI must still must meet DFARS minimum security standards to keep their contracts, and DFARS clauses will still be used in contracts.
The primary differences for contractors going forward relate to CMMC certification. These updates are summarized below:
Going forward, contractors will see CMMC and DFARS requirements used in conjunction with one another. While the changes under CMMC are significant, the end result will be a more secure cybersecurity environment for both contractors and government agencies. If you have specific questions about CMMC, consult this helpful FAQ page about CMMC updates.
The schedule for CMMC implementation is coming quickly. The DOD is adding CMMC level requirements to DOD contract RFIs starting in 2021. The implementation process will expand based on procurements for DOD programs and technologies — CMMC level requirements will be added to specific procurement types each year, with the number of procurements increasing in subsequent years. Once a procurement switches to CMMC level requirements, CMMC certification will be used as the basis for awarding contracts.
The implementation schedule will start in 2021 with a pilot program that includes 15 procurements. The pilot program will focus on critical areas, including nuclear and missile defense. The contracts in this pilot program will focus on contractors that must process or store CUI, and therefore meet requirements for CMMC Level 3.
In subsequent years, the program will extend CMMC requirements to more programs. A total of 75 procurements will be included in 2022, 250 procurements in 2023, 325 procurements in 2024, and 475 procurements in 2025. During these years, the department will begin to incorporate CMMC Levels 4 and 5 for a portion of contracts.
CMMC has already been updated with clarified verbiage regarding assessment protocols and standards, but further changes are expected as CMMC begins its rollout schedule. Some changes and concerns that are expected to be addressed in the next few years include the following:
The CMMC project will evolve over the next few years to address the needs of the DIB sector and the federal government. Because of this, it’s essential that contractors stay informed on the status of CMMC guidelines as the rollout progresses.
To prepare for CMMC, DIB companies need to start learning how to comply with CMMC rules now.
One of the first things to consider is whether or not your company handles CUI. If your company possesses, stores, or transmits CUI, you will need to obtain CMMC Level 3 certification before your procurement rollout date. If your company does not handle CUI, but does possess Federal Contract Information (FCI), then you must obtain CMMC Level 1 certification. If you do not handle CUI or FCI, then you do not require any CMMC certification.
Once you determine your basic certification needs, the next step is to compare your current cybersecurity position with CMMC Level 3 requirements. If your company already meets DFARS and NIST 800-171 requirements, you have a strong foundation for CMMC Level 3 certification. Study the new requirements and compare them to your current protocols to develop an implementation plan.
Once you’re ready for CMMC assessment, you can select a C3PAO from the CMMC Accreditation Body’s website. Once you’ve made your selection, coordinate with the C3PAO to plan the CMMC assessment. After the assessment, your company will receive an assessment report with their results. If you pass, your CMMC certificate with your CMMC level designation will be sent to you and the DOD.
CMMC presents a significant change to cybersecurity needs for DIB companies. If you want help preparing for the CMMC rollout, BTI is here. We offer CMMC consulting, training, and assessment services to help DIB companies prepare for CMMC rollout. As a professional CMMC consultant service, BTI is dedicated to providing affordable and effective services that can help with all CMMC levels. With our qualified consultants and expert certifications, we have everything you need to align your processes before rollout.
Contact BTI today to learn more about our CMMC services.