With the concerning upward trend of cyberattacks, the Department of Defense (DoD) had to rethink its existing approach to cyber threat remediation. In order to protect national security, the DoD created the cybersecurity maturity model certification (CMMC) program. Introduced in January 2020, this is a measure that affects the Defense Industrial Base (DIB), which is comprised of over 300,000 contractors.
While there are already a few regulations that address cybersecurity issues—like the NIST SP 800-171—CMMC brings the best parts of these regulations together. The goal is to ensure all contractors are taking the necessary precautions to protect sensitive information. However, a lot has happened since the beginning of last year to now. Has the CMMC been updated to meet growing cybersecurity needs?
The DoD is taking a slow and steady approach with its CMMC requirements to give contractors enough time to make the necessary changes. Requests for information started as early as September 2020, with an estimation of 15 procurements for critical DoD programs and technologies by the end of 2021. That’s expected to rise to 75 in 2022, 250 in 2023, 325 in 2024, and 475 in 2025. Full implementation of CMMC compliance is expected to happen by 2026.
Since the process of implementation began, several significant changes have occurred in the months that followed. Two of the most notable changes were the creation of the CMMC accreditation body (CMMC-AB) and the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule.
DFARS covers the protection of controlled unclassified information (CUI) as a requirement for all contractors doing business with the DoD. The standards within DFARS acts as a method for self-assessment. However, DFARS lacks sufficient security standards to meet today’s cybersecurity needs. The Interim Rule introduces new requirements that are meant to supplement current DFARS regulations and increase contractor security until the CMMC is fully rolled out.
The new rules in the DFARS Interim Rule include: DFARS 7019, DFARS 7020, DFARS 7021.
- DFARS 7019: This regulation states that a contractor must submit a NIST 800-171 assessment score to the Supplier Performance Risk System (SPRS) to be awarded with a contract or subcontract.
- DFARS 7020: This standard allows the DoD to request an ad hoc medium- to high-level audit to verify the assessment score submitted by the contractor to the SPRS.
- DFARS 7021: In this part of the Interim Rule, it requires contractors to maintain a current certification—can’t be older than three years—and commit to maintaining security from the time certification was given to the present. In addition, contractors must include a CMMC clause in subcontracts and verify that subcontractors hold the appropriate CMMC certifications.
The CMMC-AB is a non-profit organization that was created to oversee the accreditation process. It is meant to be the sole authority on performing CMMC assessments and training for the DoD contractor community. This corporation operates under an exclusive contract with the DoD and serves as the provider of CMMC licensing and certification for CMMC Third Party Assessment Organizations (C3PAOs), training providers, instructors, and assessors.
While 2020 was focused on laying the groundwork for the CMMC to take hold, this year is a little different. The center of attention for 2021 is maturity and threat identification and remediation. This is especially the case after a recent attack against a major fuel pipeline threatened to disturb the national economy and deprive the east coast of most of its fuel.
At the core of the CMMC is the demand for contractors to implement strong cybersecurity measures to counteract cyber threats. In addition, contractors should be continually looking out for gaps in security, reporting on their plan to remove those gaps, and filling out their plan of actions and milestones (POA&M). It’s expected that contractors have their security programs in place for an acceptable amount of time before applying for CMMC certification.
Now that contractors have had some time to adjust to the requirements of CMMC, maturity is the next step. The CMMC provides CMMC levels that determine how mature your cybersecurity program is. The longer you have a cybersecurity program that meets all CMMC requirements, the more credibility and maturity is gained.
DoD personnel involved with the implementation of the CMMC believe it should take anywhere from six to nine months before a POA&M can fully be implemented. This is needed before you can achieve full compliance. The sooner you implement your own POA&M, the higher your maturity can be. As a result, you could have a competitive advantage over other contractors.
We’re more than a year into the implementation of the CMMC. Contractors that have already begun making changes to their cybersecurity programs have a head start. This means there’s no time to waste, and you need to start working toward achieving compliance. The best way to reach compliance is by emphasizing threat identification and remediation.
The first step is to meet the compliance requirements outlined in the DFARS Interim Rule. If you’ve been staying up-to-date with DFARS, it’s possible that you have already satisfied the requirements. If that’s the case, then you can focus on the deliverables like improving your assessment for SPRS.
It’s also important to keep in mind that CMMC audits are likely to increase the later we get into the year. This may go hand and hand with the release of new programs and contracts that contain CMMC requirements. If your current contract is set for recompete this year, the DoD may decide to audit your organization.
Cybersecurity is our specialty at RCS Secure. We offer a range of services to protect your business from even the worst cyberthreats. If you need help with CMMC certification, we have your back. Our experts guide you through the process of achieving CMMC compliance, so you can earn the DoD contracts you’re looking for.
Learn more about cybersecurity compliance by contacting us today!
RCS Secure offers a full spectrum of cyber security safeguards and services. Our services combine compliance standards expertise with cutting-edge technology to identify risks, prioritize remediation, and ensure you are both secure and compliant.