By Zachary Amos, Features Editor at ReHack
Organizations, contractors, and subcontractors in the Defense Industrial Base (DIB) sector must understand the implications and requirements of the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC).
On Nov. 4, 2021, the U.S. DoD announced the CMMC 2.0, an updated iteration of the agency’s original cybersecurity program focused on safeguarding sensitive information. CMMC 2.0 introduces several new requirements that build on the first version of the program, known as CMMC 1.0.
The second version of the CMMC isn’t strictly required until 2026, but any organization in the defense contract supply chain should take various steps to prepare for the upcoming CMMC requirement.
Understanding CMMC 2.0 and Why Compliance Matters
The U.S. DoD implemented the CMMC program to mitigate risks in the increasingly dangerous global cybersecurity landscape. Frequent and sophisticated cyberattacks targeting the DoD can put highly sensitive or classified data at risk, ultimately threatening national security.
Thousands of companies, organizations, and individuals operate in the DIB sector and play a significant role in the nation’s economy. This vast network supports the DoD in several ways, which allows the department to function properly, strengthen operations and keep the country secure.
However, the number of organizations tied to the DoD expands the attack surface for malicious threat actors. Members of the DIB network are valuable targets for cybercriminals due to the sensitive nature of the data they hold and use. Any DIB contractors working with controlled unclassified information (CUI) or federal contract information (FCI) must safeguard it according to federal regulations set forth by the government.
Implementing the DoD’s CMMC 2.0 program will impact around 300,000 organizations. The program’s objective is to ensure DIB companies and contractors have appropriate cybersecurity measures to protect themselves and other players in the DIB and the DoD.
5 Steps to Prepare for CMMC 2.0 Compliance
Members of the DIB have a few years until the CMMC becomes official. The final rule that officially enacts CMMC will likely be published sometime in late 2023 or early 2024. Once codified, the CMMC 2.0 will require DIB contractors to comply with different CMMC levels, depending on which types of data they access.
While it may seem far away to some, hundreds of companies are already preparing for CMMC assessments. Below are five steps DIB companies, contractors, and subcontractors can take to prepare for CMMC.
1. Determine CMMC Certification Level
There are three CMMC levels an organization must comply with: Levels 1 (Foundational), 2 (Advanced), and 3 (Expert). The first step companies should take to prepare for CMMC is determining which level to certify against. Much of this will come down to what data the organization works with.
All contractors must meet the minimum Level 1 requirements to process FCI. Companies working with CUI need to certify against Level 2, and those working with very sensitive CUI need to certify against Level 3. Most DIB contractors will fall under Levels 1 and 2, while major companies with DFARS (Defense Federal Acquisition Regulation Supplement) clauses must meet Level 3 requirements.
2. Identify CUI and FCI
The DoD will only require organizations to certify departments that work with CUI and FCI. Anything outside of those types of data does not require certification. Therefore, the next best step DIB contractors must take is identifying CUI and FCI.
Companies must review their contracts and documentation to determine which information is considered CUI or FCI. They’ll need to look at where critical data is stored, how it’s processed, and how it’s transmitted to and from other users. Additionally, contractors must identify the employees responsible for handling FCI and CUI.
3. Conduct a CMMC Gap Analysis
The next step is to conduct a CMMC gap analysis to help gauge compliance, determine if current practices are effective, collect relevant evidence, and plan to rectify any weaknesses or security issues.
Organizations that conduct NIST 800-171 assessments have an advantage — the gap analysis needed in this step is the NIST 800-171 Basic Assessment. Other methods of conducting a gap analysis include using spreadsheets, leveraging a governance, risk and compliance (GRC) solution, or speaking with a compliance consultant with CMMC knowledge.
4. Develop a System Security Plan (SSP)
Next, contractors must put all the information from the previous steps into a system security plan (SSP). An SSP is a crucial document that outlines how an organization will implement CMMC compliance requirements. Security personnel responsibilities must be included, in addition to details regarding guidelines the organization will follow to maintain CMMC compliance.
5. Earn CMMC Certification
DIB contractors will be prepared to earn CMMC certification after completing the four steps above. Contractors must choose from various Certified Third-Party Assessor Organizations (C3PAOs), which are currently in short supply, if they want to receive Level 2 certification.
Those shooting for the Level 3 CMMC must pass a government-led assessment. Unfortunately, the DoD has not released specific details about these more formal evaluations. Contractor certifications are valid for three years.
Stay Ahead of the CMMC 2.0
After receiving the CMMC certification, members of the DIB network will need to follow the same process to get recertified. However, performing the steps above should make this simple. The DIB supply chain must maintain a strong cybersecurity posture by complying with the CMMC as attacks against the DoD become more frequent.
As the Features Editor at ReHack, Zac Amos writes about cybersecurity, artificial intelligence, and other tech topics. He is a frequent contributor to Brilliance Security Magazine.