As we promised a trilogy in our earlier 2024 CMMC Blog – “Get Ahead of Compliance: The Proposed Rule for the Cybersecurity Maturity Model Certification (CMMC 2.0) Is Out!” – we continue our series with a discussion of each level of compliance and why it is important to understand and be prepared to best protect your company. Since the public comment period for the CMMC 2.0 proposed rule recently closed, this seems as good a time as any to examine the compliance requirements, starting with the first tier of CMMC 2.0, also called CMMC Level One “Self-Assessment.”

The Department of Defense (“DoD”) estimates that approximately 139,201 entities including Defense Industrial Base (“DIB”) contractors, subcontractors, and External Service Providers will be subject to the CMMC Level One Self-Assessment requirements.[1]

CHANGE/UPDATE

The good news is that the security requirements for the DIB community haven’t changed – they are taken directly from existing regulations and guidelines already imposed in FAR 52.204-21 and DFARS subpart 204.73. Depending on how defense contractors have invested in their cybersecurity systems and utilized the National Institutes of Standards and Technology (NIST) 800-171 as the model, this may be a very easy transition. We know that NIST 800-171 came out in 2016, so companies should be in compliance, correct? The reality is … many are not. The age of self-certification and putting off compliance is over with the implementation of the CMMC. The bottom line is that those DIB Contractors who fail to comply with the CMMC will no longer be eligible for DoD contract awards – this includes both prime contracts and subcontracts.

OUTLINE COMPLIANCE

The CMMC Level includes the 15 requirements listed in FAR Clause 52.204-21(b)(1) titled Basic Safeguarding of Covered Contractor Information Systems. This particular clause applies to any covered contractor who owns or operates an information system that processes, stores, or transmits Federal Contract Information (FCI). FAR 52.204-21(a). The safeguarding and security requirements and controls that apply to these information systems include:

(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

(iii) Verify and control/limit connections to and use of external information systems.

(iv) Control information posted or processed on publicly accessible information systems.

(v) Identify information system users, processes acting on behalf of users, or devices.

(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

(x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

(xii) Identify, report, and correct information and information system flaws in a timely manner.

(xiii) Provide protection from malicious code at appropriate locations within organizational information systems.

(xiv) Update malicious code protection mechanisms when new releases are available.

(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Id at 52.204-21(b)(1). These security requirements are conveniently mapped to the objective outlined in NIST SP 800-171A. There is an easy-to-understand mapping tool that can be located in the proposed rule at § 170.15 (c)(1)(ii).

How is the self-assessment made at Level One? Contractors must always meet the CMMC requirements during performance and throughout the DoD contract period. According to the Proposed Rule, 32 CFR § 170 et. al., the Organization Seeking Assessment (OSA) must achieve all the security requirements specified in § 170.14(c)(2) in accordance with the proper procedures outlined in § 170.15(c)(1). Before making any assessment, the CMMC Assessment Scope must be specified to determine what assets are in and out of scope. § 170.19. Only those assets that process, store or transmit FCI are within the scope and must be assessed against the applicable security requirements. § 170.19(b)(1). In determining the type of asset categories, the OSA should consider people, technologies, facilities, and External Service Providers who touch FCI. § 170.19((b)(3). The results of the self-assessment and an affirmation must be submitted by an OSA senior official who is responsible for ensuring compliance with the Supplier Performance Risk System (SPRS) on an annual basis. § 170.22. Affirmations under the CMMC must include the name, title, and contact information of the affirming official and a statement “attesting that the OSA has implemented and will maintain implementation of all applicable CMMC security requirements for all information systems within the relevant CMMC Assessment Scope at the applicable CMMC level.” § 170.22(a)(2)(i.

As a part of the DoD’s phased implementation, beginning October 1, 2026, the DoD intends to include CMMC requirements for ALL levels issued in every solicitation where CUI and/or FCI warrant safeguarding the performance of the contract. At CMMC Level 1, there is no opportunity to cure any deficiencies or ask for additional compliance time.

If you are a DIB contractor, large or small, prime or sub, now is the time to engage and obtain an outside assessment to ensure that you can continue to service DoD contracts. There are currently not enough assessors to meet the demand, so the sooner you engage a provider the better. Any corporate officer signing off on the self-assessment should be cautious and make sure your systems are compliant before you approve. There are heavy penalties, including but not limited to personal liability, large fines, and/or criminal prosecution that can stem from an inaccurate attestation. Most importantly, failing to have your information system in compliance with the CMMC can eliminate your organization’s ability to contract or subcontract with the DoD.

[1] https://public-inspection.federalregister.gov/2023-27280.pdf (p. 103).

[View source.]