CMMC 2.0: You Cannot Afford to Wait – Here’s Why!
CMMC Model 2.0 was announced in November 2021 and will be implemented through the rule-making process.
The Two Rules Are:
- Part 32 of the Code of Federal Regulations (CFR) (Federal Acquisition Rules) (FAR)
- Part 48 of the CFR (Defense Federal Acquisition Regulation Supplement) (DFAR)
DoD contractors will be required to comply once rule-making is final. Both rules will have a public comment period and are expected to last through May 2023. At this point, CMMC requirements will begin to be included in DoD solicitations. Although rule-making will not be final until then, the DoD encourages contractors to continue improving their cybersecurity posture during the interim period while the rule-making is underway.
MINIMUM REGULATORY REQUIREMENTS BEFORE CMMC CERTIFICATION
Some contractors have not completed their pre-requisites to CMMC, which are based on the rules (CFR Part 32 and Part 48). All DoD contractors that store, process, and/or transmit Controlled Unclassified Information (CUI) must meet the following:
- FAR 52.204-21: "Basic Safeguarding" Cybersecurity Requirements for Federal Contractors" – 15 Security Controls
- DFARS Clause 252.204-7012: NIST SP 800-171 Self-Assessment – 110 Security Controls – complete by 12/2017
- DFARS Clause 252.204-7019: NIST SP 800-171 Self-Assessment [Reportable Score to Supplier Performance Risk System]
- DFARS Clause 252.204-7020: NIST SP 800-171 Independently Assessed by DCMA / DIBCAC [mostly large contractors)
At a minimum, small to medium businesses (SMB) must meet numbers 1, 2, and 3 above. The DoD contractor must meet the 15 basic safeguarding requirements (#1 above), conduct a self-assessment of the 110 security controls in NIST SP 800-171 (#2 above), and report your SPRS score based on that assessment (#3 above).
DO NOT WAIT TO PREPARE FOR CMMC CERTIFICATION
Preparing for CMMC Level 2 is time-intensive and not a zero-sum game. The rule-making finalization may catch some DoD contractors off guard if the pre-requisites are not completed.
The CMMC Ecosystem will be stretched and could be a mad rush to the finish line once final rule-making is completed. Starting the journey, if not already started, begins with the DFARS clauses. Doing nothing is not a plan; it's risky and ignores FAR, CUI, DFARS, and CMMC compliance requirements.
RECOMMENDED STEPS FOR CMMC READINESS
- Define your CUI boundaries:
- Know where CUI is
- Isolate CUI
- This should be done regardless of CMMC requirements, protecting CUI has been a requirement since 2015
- Develop your System Security Plan (SSP)
- Without an SSP, an SPRS score cannot be calculated.
- Lack of an SSP or an SSP that lacks sufficient detail will fail an assessment before the assessment has a chance to get off the ground.
- Most SSPs will be 50+ pages; many are 100+ pages.
- Ensure your NIST SP 800-171 self-assessment is completed
- Post your SPRS score if not done yet (per DFARS 7019)
- This is not an IT-only endeavor; non-IT stakeholders must be involved.
- Get familiar with CMMC 2.0 Source documents:
- CMMC Scoping Guidance
- CMMC Assessment Guides
- CMMC Assessment Process (on its way)
- Assign roles, responsibilities, and tasks
- Recommend a Responsibility Traceability Matrix (RTM)
- Coordinate with your managed service providers (MSP) and cloud service providers (CSP)
- Ensure there is a Shared Responsibility Model (SRM) that establishes responsibility and accountability between your company and service providers
- Remediate all gaps found in the self-assessment
- Get an independent consultant to review (fresh eyes to review gaps or validate controls are implemented)
Plan a strategy for preparing for a CMMC assessment. A good way of doing this is to have a target date for CMMC readiness. Have no fear; this is within the DoD contractor's control. Failing a CMMC assessment for certification has a significant financial impact as it could cause the contractor to be ineligible for contract award.
Especially if you have missed some checkpoints along the way!