The U.S. Department of Defense (DoD) has introduced a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) Program. This initiative aims to verify that defense contractors and subcontractors meet specified security standards across three CMMC levels throughout their contract duration.
The proposed rule outlines security controls, assessment procedures, and prioritized programs, aligning with the CMMC 2.0 framework. It applies to all DoD contractors and subcontractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Still, it does not alter existing Federal Acquisition Regulation (FAR) or DoD FAR Supplement (DFARS) requirements.
In this blog post, we’ll examine the proposed rule for the CMMC program in more detail. We’ll explore its key objectives, which framework it aligns with, and potential implications for defense contractors and subcontractors handling sensitive information.
Key Provisions of the Proposed CMMC Rule
The proposed CMMC rule lays out the security controls for three levels, which follow the CMMC framework’s tiered approach to cybersecurity maturity. Each level has increasing requirements and sophistication in cybersecurity practices. The rule also outlines processes and procedures for assessing and certifying compliance, emphasizing the need for thorough evaluations to ensure adherence to specified security controls.
Furthermore, the rule defines the roles and responsibilities of stakeholders, such as the Federal Government, contractors, and third parties, in ensuring transparent compliance to promote a robust security posture across the defense industrial base (DIB).
Below is the proposed CMMC rule for the three levels of CMMC:
- Level 1 pertains to contractors only handling FCI. They must comply with 17 security controls specified in FAR 52.204-21, which are fundamental cybersecurity practices. Additionally, they must conduct a yearly self-assessment and record the results in the Supplier Performance Risk System (SPRS).
- Level 2 applies to most contractors in the DIB. To meet the requirements of Level 2, a small group of contractors would perform only a self-assessment, as required in Level 1. However, most companies that handle CUI would be subject to assessment by a Certified Third-Party Assessment Organization (C3PAO) every three years and conduct an annual self-assessment that is recorded in SPRS. To achieve Level 2, contractors must implement the 110 security controls from NIST SP 800-171.
- Level 3 targets DIB contractors performing work on high criticality defense programs, as defined by the DOD. Those organizations implement advanced security measures to safeguard CUI and FCI against advanced persistent threats (APTs). Contractors at this level must comply with all level 2 requirements and implement approximately 20 additional controls selected from NIST SP 800-172.
Alignment with CMMC 2.0 Framework
The proposed CMMC rule follows the streamlining efforts of CMMC 2.0, utilizing a tiered approach with three CMMC levels, each with increasingly stringent security control requirements. This approach ensures consistency and simplifies understanding for DIB.
Moreover, the proposed rule translates the CMMC 2.0 framework into a legally enforceable regulation. It assigns specific NIST SP 800 standards to each maturity level, making the requirements more precise.
Relationship with FAR and DFARS
The proposed CMMC rule is an additional layer of cybersecurity requirements for DoD contracts. It complements the existing FAR and DFARS and focuses on ensuring that the DIB is adequately assessed for implementing the necessary controls, based on the maturity level assigned in contracts, for the safeguarding and handling of FCI or CUI.
The CMMC rule is designed to integrate seamlessly with the existing acquisition procedures outlined in the FAR and DFARS. The DoD plans to incorporate CMMC requirements into DFARS clauses, ensuring a smooth transition for contractors already familiar with FAR and DFARS. This integration will streamline compliance efforts and maintain consistency in procurement practices.
The CMMC rule aligns with existing cybersecurity frameworks referenced in FAR and DFARS. It codifies specific National Institute of Standards and Technology (NIST) Special Publication (SP) standards for each CMMC maturity level, ensuring consistency and clarity in cybersecurity requirements. This alignment facilitates compliance for contractors already familiar with NIST SP standards and enhances the overall cybersecurity posture of the DIB.
The proposed CMMC rule introduces an attestation and certification process for contractors and subcontractors handling FCI and CUI. While FAR and DFARS establish contractual obligations and performance standards, the CMMC rule adds cybersecurity attestation and certification as a prerequisite for participating in DoD contracts. Contractors must demonstrate compliance with both sets of regulations to ensure the security and integrity of DIB information systems that support DOD programs.
Implications for Contractors and Subcontractors
The proposed CMMC rule has varying implications for DoD contractors and subcontractors that constitute the DIB. Let’s take a closer look at what this proposed rule means for stakeholders:
- Compliance Costs: Implementing the cybersecurity controls mandated by the proposed CMMC rule will undoubtedly incur costs for contractors. Smaller companies, in particular, may need help to comply with the more stringent requirements of Levels 2 and 3. Contractors must appropriately understand these costs and budgets to remain competitiveness in the DoD marketplace.
- Certification Process Complexity: The proposed CMMC rule introduces a tiered certification process, with C3PAO assessments required for Levels 2. This adds a layer of complexity and potential cost for contractors, who must undergo rigorous evaluations by C3PAOs. Navigating this certification process will be essential for contractors aiming to secure DoD contracts.
- Opportunities for Competitive Advantage: While compliance with the proposed CMMC rule presents challenges, it also offers opportunities for contractors to distinguish themselves in the marketplace. Investing in robust cybersecurity measures can enhance a company’s reputation and competitiveness within the defense industry. Contractors with strong cybersecurity may gain a strategic advantage in securing lucrative DoD contracts over competitors.
- Cybersecurity Awareness and Training: Adapting to the requirements of the proposed CMMC rule will necessitate a focus on cybersecurity awareness and training within contractor organizations. Employees must be educated on cybersecurity best practices and their role in maintaining a secure operating environment. Investing in comprehensive training programs can help contractors build a culture of cybersecurity awareness and resilience
Conclusion
The proposed CMMC rule is an essential step forward in improving cybersecurity in the DIB. Introducing new standards tailored to the evolving threat landscape, combined with established best practices and guidelines, will undoubtedly enhance the DIB’s overall cybersecurity posture.
By safeguarding national security interests and strengthening the resilience of the DIB networks against cyber threats, the proposed rule is a proactive measure that ensures the defense sector can continue to operate effectively and securely in the face of emerging cyber threats.