6-minute read time
The Department of Defense (DoD) continues to perfect the CMMC 2.0 model during its rulemaking process. The delay in CMMC implementation is excellent news for contractors and subcontractors working diligently to get their organizations ready for assessments. Early compliance can put your company ahead of others, making you eligible to receive contract awards while others struggle to catch up.
This extended time is due to the DoD planning two rules to enforce how government contractors and their subcontractors protect controlled unclassified information in their systems instead of just one. The White House’s Office of Information and Regulatory Affairs said they expect to release the final proposed rules in June 2023, and it now looks like 2024 will be the year CMMC becomes operational.
With extra time to prepare on the horizon, we want to address one of the most frequently asked questions: How should Level 2 contractors implement CMMC 2.0?
In this post, we will review…
- CMMC 2.0 Overview
- CMMC Level 2 Self-Assessments
- CMMC Level 2 Third-Party Assessments
- Developing an Internal CMMC Program
What is CMMC 2.0?
The DoD requires regular cybersecurity assessments of contractors to ensure that sensitive information shared with the defense industrial base (DIB) is adequately protected. If used, the solicitation and Requests for Information (RFIs) will note the level needed for contractors and subcontractors.
The DoD CIO states, “The [CMMC 2.0] program simplifies and increases accountability in the cybersecurity assessment process.”
The CMMC 2.0 model (which is in alignment with NIST standards) is designed to protect Federal Contract Information (FCI), and Controlled Unclassified Information (CUI) shared with DoD contractors and subcontractors through acquisition programs. Any DIB company that processes, stores, or transmits CUI or FCI on its networks must be certified with an assessment.
Some programs with Level 2 requirements do not involve information critical to national security. Contractors who fall under this category will meet the criteria through annual self-assessments.
A senior company official will also confirm that the company meets the requirements. Self-assessments and official affirmations require annual Supplier Performance Risk System (SPRS) documentation.
It’s important to note that choosing to purchase a product and not monitoring it to receive contracts quickly is unacceptable. The Civil Cyber-Fraud Initiative will hold any individuals or entities responsible that put U.S. information or systems at risk by:
- Knowingly providing deficient cybersecurity products or services.
- Knowingly misrepresenting their cybersecurity practices or protocols.
- Knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
Making false claims during a CMMC self-assessment violates the False Claims Act (FCA). The FCA imposes liability on individuals or entities who submit false claims for payment to the government, including claims for compensation of government contracts.
Suppose you falsely claim that your organization has met specific cybersecurity requirements during a CMMC self-assessment to obtain a contract and fails to meet those requirements. In that case, you could be liable under the FCA.
Under the FCA, individuals or entities that submit false claims may be subject to significant penalties, including treble damages (three times the number of damages sustained by the government), plus additional fines and penalties.
The FCA also includes provisions for whistleblower protection, which may encourage individuals with knowledge of false claims to come forward and report them to the government.
To prevent being penalized for cybersecurity-related fraud under the FCA, contractors must complete an assessment by a CMMC expert, such as a Registered Provider Organization (RPO).
Having an expert review and providing guidance ensures an accurate representation of your cybersecurity practices and capabilities. Falsely claiming compliance with CMMC requirements can have severe legal and financial consequences for the contractor and government.
Subsets of Level 2 contractors with access to information critical to national security will be required to obtain a third-party assessment on a triennial basis. CMMC Third Party Assessment Organizations (C3PAOs) or certified CMMC Assessors assess these companies.
Contractors are responsible for locating accredited C3PAOs listed on The Cyber AB Marketplace. Additionally, DIB companies will be wholly responsible for coordinating, planning, and obtaining their CMMC assessment and certification.
Preparing for the updated CMMC requirements is vital to being eligible for those prized contract awards. Developing and maintaining a program to meet the requirements of CMMC is your key to success.
The program should include the implementation of appropriate cyber security practices, processes, and technologies that are in line with each of the 17 domains of CMMC (with 43 capabilities):
Don’t forget to include other cybersecurity and compliance requirements you are subject to follow. Follow the steps below to prepare your organization for future assessments.
Understand the Requirements
The National Institute of Standards and Technology 800-171 (NIST) standards are at the heart of CMMC. Achieving a high SPRS Score sets DIB companies up for CMMC success.
As noted earlier, there are two subsets for Level 2 contractors and subcontractors. You must understand the requirements your company must abide by and fulfill them.
First, you must identify which systems and solutions in your network store or transfer CUI to protect items using NIST 800-171 requirements. Once identified, you can turn your attention to their security.
Mobile devices often access data, including controlled unclassified information (CUI) data – making mobility a significant focus in the CMMC auditing process. Organizations must address this when moving towards CMMC 2.0 compliance.
CUI can be stored in many places, including:
- Local storage solutions
- Cloud storage solutions
- Portable hard drives or devices
Ensuring CUI is protected is of utmost importance. In the event of an assessment, you must be able to demonstrate that CUI is protected. You should divide data into two categories:
- All other data
You can streamline how you implement NIST 800-171 by first safeguarding the most sensitive data – the CUI. Separating the data into categories makes this process easier. You can move on to ensuring all the other data is secure after implementing controls for your CUI.
Now, you can implement controls. NIST 800-171 standards mandate that you encrypt all files in transit and at rest. Ensure you encrypt all CUI wherever it is stored.
You must use solutions to prevent unauthorized users from accessing CUI (e.g., multi-factor authentication tools, access controls, etc.) and keep security patches updated. Remember also to monitor your physical space to mitigate unauthorized access. To do this:
- Escort visitors
- Maintain audit logs
- Monitor visitor activity
- Manage physical devices (e.g., USB keys)
Create a System Security Plan (SSP)
Develop a System Security Plan that covers the scope of your computer network. This document needs to outline your approach to meeting the requirements of NIST 800-171. Cover the processes and technologies you use to implement the security practices outlined in the System Security Plan.
Your SSP should include:
- The types of CUI your business handles
- What you do with the CUI
- How you store, process, and transmit the CUI
- The controls in place to protect the CUI
- Known gaps in your compliance
Access controls must limit access to authorized users and the actions they need to perform.
The key access points to be tracked:
- IT providers
- Cloud service providers
- Other networks
Regularly review and update this plan to stay current with industry best practices. Additionally, this assessment will ensure that your processes and technologies are effectively implemented and that the program is geared toward meeting CMMC 2.0 requirements.
Plan of Action and Milestones (POA&M)
The DoD plans to allow companies to receive contract awards with a limited-time Plan of Action and Milestones (POA&M) to complete CMMC requirements. A baseline number of conditions must be met – including a minimum score and ensuring essential items are not on the POA&M list.
In preparation, document any NIST requirements that are unfulfilled. Annotate the steps being taken to meet them, who will ensure they are fulfilled, and when it’s expected to be completed.
The POA&M is a comprehensive document that requires technical expertise. Work with your internal security team or partner with a Registered Provider Organization (RPO) to complete this documentation.
Most cyber incidents start at the human level. User error puts your organization – and data – at risk. Educate your employees on the importance of strong passwords, security patches, and recognizing malicious links.
Employees must understand processing, storing, or transmitting CUI per NIST 800-171. This training is a vital step as they are the ones who will be regularly interacting with the data. Training should be ongoing, and you should share any changes to compliance processes with them.
To be NIST compliant, you must be able to record all user activities and have a solution that can track every action back to an individual. Administrators should monitor who is accessing CUI and why, and procedures should be in place for the monitoring process.
Conduct Regular Internal Assessments
Conduct regular assessments to ensure your organization complies with NIST – quarterly or bi-annually. These internal assessments will ensure that the current processes continue to protect CUI. With any changes that arise, such as growth or new technologies, you should assess how they will impact your data security processes and policies.
CMMC assessments currently aren’t available. However, the DoD allows third-party assessor organizations to conduct joint assessments with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
The Joint Surveillance Voluntary Assessment program validates the organization’s compliance with NIST 800-171. The DIBCAC records the assessment score and will convert it to CMMC 2.0 Level 2 when the rule becomes final. Currently, 60 companies are signed up for this process, seven of which have completed it.
Now is the time to get ahead of your competitors by getting an early assessment in the Joint Surveillance Voluntary Assessment program. Don’t let this opportunity pass you by.
Aligned is proud to assist American companies in protecting our warfighters. We were among the first companies selected as a CMMC Registered Provider Organization (RPO). One of our missions is to assist companies in creating an effective plan and preparing for their CMMC assessment. If you need help or have any questions, please get in touch with one of our experts.