Last Updated on November 1, 2021
Unless you have been living under the proverbial rock, you have heard about CMMC, the Cybersecurity Maturity Model Certification. This new cybersecurity standard is currently in the rollout phase for every organization in the US Department of Defense (DoD’s) defense industrial base (DIB). In short, if you are working for a DoD agency or for a subcontractor to a prime contractor, you will need to achieve CMMC requirements for all future contracts.
CMMC is being rolled out as part of a broader initiative by the US federal government to enforce cybersecurity regulations that, to this point, have not been enforced. CMMC is intended to address deficiencies in conformance with:
- The DFARS 252.204-7012 clause, “Safeguarding Covered Defense Information and Cyber Incident Reporting” (published in October 2016), which mandates compliance with NIST Special Publication 800-171 for the protection of Controlled Unclassified Information (CUI). As of December 31, 2017, all contractors and subcontractors operating in government supply chains were responsible to self-attest to compliance with NIST 800-171. Unfortunately, most organizations subject to DFARS 7012 failed to meet the requirements. Hence CMMC Level 3, which ensures that they do so via a third-party assessment.
- The FAR 52.204-21 clause, “Basic Safeguarding of Covered Contractor Information Systems” (published on May 16, 2016), which mandates that contractors protect their systems with 15 basic cybersecurity requirements for the protection of Federal Contract Information (FCI). Unfortunately, there was no government enforcement. Hence CMMC Level 1, which ensures that they do so via a third-party assessment.
The latter is important because a large percentage of federal contracts (both DoD and non-DoD) include FAR 52.204-21 to protect FCI. The logical inference is that CMMC Level 1 can (and likely will) be used for any contracts with a US government agency (or a prime contractor to the government). Assuming so, your organization will need to address the 17 CMMC Level 1 requirements, which align with the 15 cybersecurity requirements outlined in FAR 52.204-21.
Where it gets even more interesting is that many non-DoD agency contracts involve CUI. Looking at the CUI Registry, you’ll note that Defense is one of 20 CUI “groupings,” most of which have multiple CUI categories. Other examples of CUI include student information, financial information, law enforcement, health information, etc. Another logical inference is that CMMC Level 3 can (and likely will) be used in the future for any contracts with a US government agency (or a prime contractor to the government) that includes systems that store, process, or transmit CUI.
If you think that I am “reaching,” I strongly encourage you to read President Biden’s recent Executive Order on Improving the Nation’s Cybersecurity, which draws a direct line between our national sovereignty and the security posture of the government and its supply chain. Further, the transition to CMMC is already occurring. GSA has CMMC provisions in the draft Polaris Contract. The Department of Education has advised Institutes of Higher Education (IHE) to be prepared for NIST 800-171/CMMC Level 3 enforcement.
On a positive note, achieving FAR 52.204-21/CMMC Level 1 compliance is a relatively low bar. By extension, therefore, any organization that is not in compliance is at considerable risk for a security incident.
As the US government is responsible for roughly 40% of our $20 trillion-dollar GDP, that should give you about 8 trillion reasons to promptly become FAR 52.204.21/CMMC compliant.
Check out this recent episode of The Virtual CISO Podcast with John Verry to learn about a proven process for achieving compliance: