Data security is an enormous point of interest for the United States government. With the ever-changing landscape of cyber threats, data protection is a necessity at the federal level. Security expectations also extend to the Defense Industrial Base (DIB) sector.
With this in mind, the federal government has established internal legislation and mandates to protect their data when working with government contractors. Two examples are the Defense Federal Acquisition Regulation Supplement (DFARS) and the Cybersecurity Maturity Model Certification (CMMC).
While DFARS 252.204-7012, is titled “Safeguarding Covered Defense Information and Cyber Incident Reporting” has been a standard for government contractors since 2017, CMMC is a newer framework established in 2020. Here, we’ll cover the essential points government contractors need to know about DFARS and CMMC, including their differences and what changes to expect with CMMC.
CUI Dataset Protection
Controlled Unclassified Information (CUI) is data that is not secret but must still be protected from public access. Before broad legislation was enacted, agencies working for the government implemented their own controls to protect CUI datasets. To combat lack of consistency, the government enacted Executive Order 13556 in November 2010 to create a set of best practices and standards for managing CUI datasets. However, this legislation led to confusion as to how to share datasets across agencies.
To resolve the issues with Executive Order 13556, the National Institute of Standards and Technology (NIST) established the NIST Special Publication 800-171, titled “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.” The standard set clear expectations for minimum security controls for contractors’ information systems. This NIST publication was made a requirement in December 2015 with DFARS.
What Does It Mean to Be DFARS Compliant?
The primary goal of DFARS legislation was to create a set of best practices and standards that applied to both civilian and defense agencies working with the federal government in the DIB sector. As of December 31, 2017, DFARS compliance is mandatory for any contractors that store or transmit CUI datasets, or else they risk losing their contracts. These minimum requirements are summarized below:
- Security: The first requirement of DFARS is to implement NIST SP 800-171 protocols, providing adequate security to safeguard CUI datasets from unauthorized access. “Adequate security” is defined across 14 groups of security requirements, which affect numerous aspects of IT security. The categories range from security and risk assessments to identification and authentication, personnel security, and awareness and training.
- Reporting: In addition to implementing security protocols, contractors working with the federal government must also have implemented rapid reporting of cyber incidents. Reporting includes cooperation with the Department of Defense (DOD) in response to any security incidents by providing access to affected files and details on the source of the breach.
Implementing the safeguarding and reporting processes allows contractors working with the DOD to protect their data. But the cybersecurity landscape is constantly changing, and the standards for CUI dataset management have had to change with it.
The Need for CMMC
The loss of CUI from federal agencies and contractors has become an increased risk in recent years, posing a threat to national security. At a global level, malicious cyber activity is expected to cost the global economy up to $6 trillion USD in 2021, and the cost is expected to increase in the coming years. Businesses are prime targets for cyberattacks, and some of those businesses contract with the U.S. government, storing CUI datasets. Risks to these businesses present a risk to national security, which became all too clear in 2020.
Cybersecurity for government contractors gained renewed scrutiny with the breach of SolarWinds in 2020. The network management company provided software-based network management for thousands of customers, including several U.S. agencies. In 2020, it was found that Russia’s SVR intelligence agency had gained access to the company’s data. While the U.S. Cybersecurity and Infrastructure Security Agency immediately took action to halt use of the compromised software across government agencies, several agencies, including the Commerce Department and the Department of Homeland Security, were affected by the breach.
The SolarWinds breach serves as a stark reminder that cybersecurity is a constant looming threat, and government contractors must remain vigilant for the sake of national security. For these reasons, the U.S. government introduced CMMC.
What Is CMMC?
CMMC is a standard that unifies the implementation of cybersecurity measures across the DIB sector. Introduced in January 2020, the CMMC incorporates preexisting legislation from DFARS and NIST SP 800-171 and enhances it, creating a unified set of cybersecurity best practices. As a whole, the CMMC serves as a scalable framework for assessing and enhancing the cybersecurity of the sector and assuring the U.S. government adequate protections.
Like DFARS, the CMMC sets security requirements for government contractors across several domains, though the CMMC defines 17 domains instead of the 14 in DFARS. The CMMC also defines 43 capabilities and 171 practices distributed across these 17 domains. Not all companies need to demonstrate these capabilities and practices — instead, they are required based on the maturity level required for the company in question.
That brings us to the topic of maturity levels, which is one of the biggest changes under CMMC. The new standards under CMMC include a hierarchy of maturity levels, which represent the different levels of data security that government contractors must implement. In the future, government agencies will define the appropriate CMMC maturity level for their needs, which contractors will need to meet before they bid on a contract. These levels are summarized below:
- Level 1: Level 1 requires organizations to perform basic cyber hygiene and safeguarding requirements. At this level, the maturity of their processes is not assessed.
- Level 2: Level 2 is a transitional stage that requires organizations to follow a subset of NIST SP 800-171 requirements. They are assessed based on their documentation of these processes. Companies at this level are not yet eligible to handle CUI, but have a framework for advancing to Level 3.
- Level 3: At Level 3, organizations are required to establish, maintain, and document their practices. Companies at this level are expected to follow all security requirements from NIST SP 800-171, as well as additional practices outlined by the CMMC. At this level, companies are eligible for protecting CUI datasets.
- Level 4: Level 4 requires the same practices as Level 3, some additional cybersecurity best practices outlined by CMMC, and additional protocols for self-assessment and correction. Level 4 companies are eligible to protect CUI and are expected to assess and reduce risks from Advanced Persistent Threats (APTs).
- Level 5: CMMC Level 5 focuses on optimization and requires organizations to standardize and optimize their processes. At this level, organizations are expected to demonstrate all practices and capabilities outlined by the CMMC, establishing sophisticated cybersecurity capabilities. Level 5 organizations are trusted to protect CUI from APTs.
What Are the Differences Between DFARS and CMMC?
Now that we’ve defined the regulations, the question becomes what is the difference between CMMC and DFARS? CMMC and DFARS goals overlap quite a bit. In fact, the CMMC is heavily based on DFARS. The CMMC and DFARS objectives primarily target government contractors and subcontractors working within the DIB sector, and both are heavily based on NIST 800-171.
So, what makes DFARS and CMMC different? The differences between DFARS and CMMC come down to implementation and assessment. Some of the key differences are highlighted below:
- Maturity levels: The most significant difference between DFARS and CMMC is in the implementation of maturity levels. DFARS did not have this type of system, instead establishing minimum requirements for CUI dataset management. The equivalent under the CMMC model is CMMC Level 3 maturity.
- Security standards: CMMC and DFARS are both based on NIST 800-171, but CMMC expands on the requirements with new categories, practices, and capabilities.
- Assessment: Another significant change is in CMMC and DFARS compliance assessments. DFARS establishes guidelines for continuous self-assessment. CMMC requires that compliance assessments are performed by Third Party Assessment Organizations (C3PAOs). CMMC certificates will be valid for three years and must be renewed before the certificate expires. Organizations must have new assessments performed to move up in CMMC levels.
Is CMMC Replacing DFARS?
CMMC is still in the process of rolling out, but the question on many contractors’ minds is will CMMC replace DFARS? The short answer is no. The release of CMMC does not mean that DFARS is going away. All DOD contractors working with CUI must still must meet DFARS minimum security standards to keep their contracts, and DFARS clauses will still be used in contracts.
The primary differences for contractors going forward relate to CMMC certification. These updates are summarized below:
- CMMC certification: Contractors must go through a compliance assessment performed by a C3PAO in order to achieve certification. The results of the audit must display 100% adherence to the requirements for the level of maturity the contractor needs. For contractors going for DFARS contracts, this means they must meet requirements for CMMC Level 3 maturity certification.
- Security requirements: CMMC Level 3 maturity certification means that contractors must meet 800-171 requirements. In addition to these standards, contractors must also demonstrate the 20 additional practices and 52 maturity processes introduced in the CMMC.
- Contract stipulations: Contractors will also notice that government requests for information (RFIs) and requests for proposals (RFPs) will start displaying minimum CMMC maturity level requirements. Contractors will be able to apply for contracts based on their certified maturity level and must submit their certification when they are awarded a contract.
Going forward, contractors will see CMMC and DFARS requirements used in conjunction with one another. While the changes under CMMC are significant, the end result will be a more secure cybersecurity environment for both contractors and government agencies. If you have specific questions about CMMC, consult this helpful FAQ page about CMMC updates.
CMMC Rollout Schedule
The schedule for CMMC implementation is coming quickly. The DOD is adding CMMC level requirements to DOD contract RFIs starting in 2021. The implementation process will expand based on procurements for DOD programs and technologies — CMMC level requirements will be added to specific procurement types each year, with the number of procurements increasing in subsequent years. Once a procurement switches to CMMC level requirements, CMMC certification will be used as the basis for awarding contracts.
The implementation schedule will start in 2021 with a pilot program that includes 15 procurements. The pilot program will focus on critical areas, including nuclear and missile defense. The contracts in this pilot program will focus on contractors that must process or store CUI, and therefore meet requirements for CMMC Level 3.
In subsequent years, the program will extend CMMC requirements to more programs. A total of 75 procurements will be included in 2022, 250 procurements in 2023, 325 procurements in 2024, and 475 procurements in 2025. During these years, the department will begin to incorporate CMMC Levels 4 and 5 for a portion of contracts.
The Future of CMMC
CMMC has already been updated with clarified verbiage regarding assessment protocols and standards, but further changes are expected as CMMC begins its rollout schedule. Some changes and concerns that are expected to be addressed in the next few years include the following:
- Applicability: Further clarification regarding requirements for subcontractors and procurements and the scope of coverage for CMMC is expected.
- Certification: Concerns regarding certification and recertification have also arisen following the announcement of CMMC compliance assessments. Clarification has been requested regarding certification in complex environments.
- Feasibility: While industry contractors recognize the need for improved cybersecurity protocols, the challenge is to balance regulation with feasibility. The concern posed by contractors is that some regulations may not add security and will impair the ability of contractors to innovate or even partner with the DOD.
- Split control: In the original CMMC guidelines, the CMMC Assessor and Instructors Certification Organization and the Accreditation Body would both be under CMMC control. However, this structure creates a conflict of interest. Many expect that these bodies will be split into separate business entities within the next few years to resolve the issue.
The CMMC project will evolve over the next few years to address the needs of the DIB sector and the federal government. Because of this, it’s essential that contractors stay informed on the status of CMMC guidelines as the rollout progresses.
How to Prepare for CMMC
To prepare for CMMC, DIB companies need to start learning how to comply with CMMC rules now.
One of the first things to consider is whether or not your company handles CUI. If your company possesses, stores, or transmits CUI, you will need to obtain CMMC Level 3 certification before your procurement rollout date. If your company does not handle CUI, but does possess Federal Contract Information (FCI), then you must obtain CMMC Level 1 certification. If you do not handle CUI or FCI, then you do not require any CMMC certification.
Once you determine your basic certification needs, the next step is to compare your current cybersecurity position with CMMC Level 3 requirements. If your company already meets DFARS and NIST 800-171 requirements, you have a strong foundation for CMMC Level 3 certification. Study the new requirements and compare them to your current protocols to develop an implementation plan.
Once you’re ready for CMMC assessment, you can select a C3PAO from the CMMC Accreditation Body’s website. Once you’ve made your selection, coordinate with the C3PAO to plan the CMMC assessment. After the assessment, your company will receive an assessment report with their results. If you pass, your CMMC certificate with your CMMC level designation will be sent to you and the DOD.
Insights From Business Transformation Institute, Inc
CMMC presents a significant change to cybersecurity needs for DIB companies. If you want help preparing for the CMMC rollout, BTI is here. We offer CMMC consulting, training, and assessment services to help DIB companies prepare for CMMC rollout. As a professional CMMC consultant service, BTI is dedicated to providing affordable and effective services that can help with all CMMC levels. With our qualified consultants and expert certifications, we have everything you need to align your processes before rollout.
Contact BTI today to learn more about our CMMC services.