Defense contractors and subcontractors that handle Controlled Unclassified Information (CUI) and do not have robust information-security system controls in place better get their house in order now if they want to do business with the U.S. government before the initial implementation phase of Cybersecurity Maturity Model Certification (CMMC) 2.0 begins next year.
In December 2023, the Department of Defense (DoD) published a proposed rule outlining a “comprehensive and scalable” assessment program as a way for the DoD to validate that defense contractors and subcontractors have implemented the security protections required by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171, Revision 2, which describes security requirements for protecting CUI in nonfederal systems and organizations.
Although NIST recently published the final version of 800-171 Revision 3, the DoD said it is not incorporating that version into the CMMC program at this time.
CMMC 2.0: Three assessment levels
The CMMC program’s purpose is to verify and provide assurance that robust security safeguards are in place to protect sensitive unclassified information shared between the DoD and its contractors and subcontractors, or generated by contractors and subcontractors.
CMMC 2.0 establishes the following three levels of assessments, depending on the type and sensitivity of the information:
- Level 1: Contractors and applicable subcontractors must verify through an annual self-assessment that they have implemented all 15 security requirements required by FAR clause 52.204–21, which outlines basic safeguards for CUI. The results of the assessment must be entered electronically in the Supplier Performance Risk System (SPRS).
- Level 2: Contractors and applicable subcontractors must verify that they have implemented all 110 security requirements of NIST SP 800–171 Rev 2. The DoD will determine on a contract-by-contract basis whether a self-assessment requirement will suffice or whether the assessment needs to be performed by an accredited CMMS Third Party Assessment Organization (C3PAO). Self-assessments would be performed on a triennial basis, while a third-party certification will be good for up to three years.
- Level 3: These are the highest priority, most critical defense programs that will require government-led assessments. Once CMMC 2.0 is finalized, contractors and applicable subcontractors must implement the 24 selected security requirements from NIST SP 800–172. CMMC Level 2 is a prerequisite for CMMC Level 3.
All three levels of assessments additionally require affirmations. A senior official from the prime contractor and any subcontractor must annually affirm continued compliance with the specified security requirements, entered electronically in the SPRS. For Levels 2 and 3, selected requirements are allowed to have a Plan of Action and Milestones (POA&M), which must be closed out within 180 days of the assessment.
Implementation of the CMMC 2.0 will follow a phased-in timeline. Starting Oct. 1, 2025, certain DoD contractors must demonstrate compliance with CMMC 2.0 through a C3PAO. In the final phase, all Defense Industrial Base (DIB) contractors and subcontractors must demonstrate compliance with CMMC 2.0 starting in 2028.
Joint Surveillance Voluntary Assessment Program
In the interim, the Defense Contract Management Agency (DCMA) and the Defense Industrial Basis Cybersecurity Assessment Center (DIBCAC) have begun performing “medium” and “high” assurance assessments on DIB contractors that have already self-attested.
“In a nutshell, the medium assessment is more like a health and wellness check,” said Curtis Chappell, vice president of security for Thales Defense & Security, speaking on a recent ACI webinar. “It’s primarily a snapshot of your system security plan and understanding where you are on your journey.”
The high assurance assessment, on the other hand, is far more thorough, entailing a five-day onsite comprehensive audit to validate contractors’ compliance with all 110 requirements of NIST SP 800-171, Chappell explained. He said the process is worth going through, however, because a successful high-assurance assessment likely will translate into a CMMC Level 2 certification.
Moreover, contractors should not fear the process. With the DCMA and DIBCAC, “there is no ‘gotchya’ intent,” Chappel said. “If you are going through it, think of it as a good thing, not a negative.”
Jill McClune, general counsel at Avon Protection Systems, said going through the assessment process helped raise awareness of the company’s cybersecurity program within the whole organization. She encouraged other contractors to “look at it as a really good opportunity” to do the same. “It’s definitely something to take seriously but not to be scared of,” she said.
Choosing a C3PAO
McClune stressed the importance of finding a C3PAO now, not waiting for the implementation period to begin. “For my organization, we have already identified our C3PAO,” she said.
The C3PAO will partner with DIBCAC to help the contractor breeze through the CMMC certification process. “You are choosing to take this step proactively,” Chappell said, adding that it’s a “transition exercise to help some companies get over this hump” and is a “good activity for checks and balances” to understand where the company is on its CMMC journey.
As with most compliance undertakings, a cross-functional effort is a best practice – legal, compliance, program managers, IT, and the chief information security officer should be working alongside the business to holistically look at the company’s information-security policies and procedures to identify and fix any security gaps.
FOCI risk mitigation
As part of the U.S. government’s continued efforts to safeguard national security interests, including within the defense supply chain, the DoD recently issued Instruction 5205.87, which describes procedures for the DoD to determine if a covered contractor or subcontractor is under foreign ownership, control, and influence (FOCI) and whether such FOCI poses a risk to national security or potential risk of compromise.
The Instruction also covers policies on how to mitigate risks posed by foreign entities who exert too much control or influence over contractors and subcontractors of U.S. companies doing business with the DoD.
These policies and procedures implement Section 847 of the National Defense Authorization Act (NDAA) for fiscal year 2020, which requires that existing or prospective contractors or subcontractors with federal contracts valued at more than $5 million must disclose their beneficial owners.
Contracts for commercial products or services are excluded, unless the government determines that the contract “involves a risk or potential risk to national security or potential compromise of sensitive data, systems, or processes such as personally identifiable information, cybersecurity, or national security system,” according to the Instruction.
“These FOCI requirements will, for the first time, subject many uncleared DoD contractors to rigorous disclosure requirements, scrutiny, and potential mitigation by the Defense Counterintelligence and Security Agency (DCSA),” stated a client alert from law firm Crowell.
Compliance measures
While federal contractors and subcontractors wait for further guidance on how the DoD will implement the Section 847 NDAA requirements, FOCI-mitigated entities and non-FOCI affiliated entities alike can – and should – still be taking measures to enhance their security controls and add layers of defense.
One measure is to combat supply chain challenges together, including network security challenges. McClune stressed that it’s critically important that the parent and mitigating entity talk about “not just how they’re going to support each other but how they’re going to share information and how they are going to protect the information.”
Also, consider separating network controls. “We are completely disconnected from our affiliates,” Chappel said. “We do not have any network connections whatsoever, which helps me, personally, to demonstrate that we don’t have any FOCI concerns when our network controls are in question.”
It’s also important to understand where your suppliers are on their CMMS journey – managed service providers (MSPs) hold or host CUI, for example. “The expectations are that all these organizations providing specific support to meet your controls are themselves going to have to be CMMC compliant,” McClune said.
How is information being protected while it is in transit? That’s a “tough conversation to have,” Chappell said, “but you need to have it.”
Also, ensure the FOCI-mitigated company has the necessary security controls, rather than just relying on the controls or assurances of the parent company. Ultimately, it’s to the DCSA’s advantage that the parent company and FOCI-mitigated entity are doing what they need to do to meet their CMMC obligations.
DCSA is going to prefer that a FOCI-mitigated entity review the cyber program versus a parent company that’s a foreign entity. Don’t work with an entity just because it’s within the same parent company. Go outside and procure directly with another entity. “There are always lots of options available,” Chappel said.
Finally, have a plan moving forward. CMMS 2.0 compliance is a huge investment. For some companies, the investment may be worth it to continue doing business with the U.S. government. For others, it might be too much of a heavy lift, Chappell said. For government contractors that decide to move forward, it’s going to take deep conversations, asking hard questions, and having an open and honest dialogue with suppliers.
