There’s a silver lining amidst the coronavirus pandemic for GovCons that do business with the Department of Defense (DoD).
The same virus safety measures that have slowed the rollout of DoD’s new unified cybersecurity standard have bought contractors more time to get up to speed on compliance.
FAR, NIST and Beyond—CMMC is a Must Do for Business with DoD
DoD issued its long-awaited Cybersecurity Maturity Model Certification (CMMC) in January 2020. CMMC builds on the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) frameworks to create cybersecurity controls and policies for defense contractors and the subcontractors in their supply chains. The CMMC requires GovCons to be audited and certified by a Certified Third-Party Assessment Organization (C3PAO).
The five levels of cybersecurity maturity requirements vary according to the sensitivity of the information processed, stored, or transmitted over GovCon and subcontractor information systems:
Level 1 – Basic Cyber Hygiene
Basic cybersecurity practices, generally appropriate for small companies that only handle Federal Contract Information (FCI), which is intended for government use but not a public release. Level 1 is equivalent to all the safeguarding requirements of FAR Clause 52.204-21.
Level 2 – Intermediate Cyber Hygiene
Universally accepted cybersecurity practices. Security protocols must be documented, including plans and policies that describe the security program. Level 2 is a transitional level for companies working on Level 3 certification.
Level 3 – Good Cyber Hygiene
Level 3 is for contractors that have access to or generate controlled unclassified information (CUI). The level requires all NIST SP 800-171 security controls as well as requirements from other compliance frameworks.
Level 4 – Proactive Cyber Hygiene
Controls at this level focus largely on upgrading security tactics and techniques to guard against advanced persistent threats (APTs). At this level, a GovCon must document and review all security protocols for effectiveness and promptly report issues to upper management.
Level 5 – Advanced and Progressive Cyber Hygiene
A Level 5 organization can protect against APTs and has a cybersecurity program that adjusts to meet advanced threats. The GovCon must show that security protocols are standardized across all networks, including third-party supply chain organizations.
COVID-19 Challenges Stretch the CMMC Timeline
The original rollout schedule called for DoD to begin CMMC implementation in March 2020 with a “pathfinder” program to assess how compliance will impact the industry. DoD planned to begin incorporating the CMMC into requests for information (RFIs) in June 2020 and into contract awards in fiscal year (FY) 2021. The department aims to phase in the CMMC over the next five years, with the goal of incorporating the new standard into every new DoD contract by FY 2026.
DoD executed a memorandum of understanding (MOU) with the CMMC-Accreditation Body (CMMC-AB) at the end of March 2020. CMMC-AB will develop assessment, certification, training, and accreditation processes.
DoD intends to implement the CMMC by revising DFARS 252.204-7012 and complete the rule change by October 2020. The department will not include CMMC requirements in solicitations until after it issues a final rule. The regulatory process requires a public hearing, however, and DoD must determine how to incorporate social distancing and other safety directives before scheduling the hearing.
Your Preliminary To-Do List for CMMC Compliance
With the timing of the DoD rule still in flux, here’s what your firm can do now to prepare for CMMC compliance:
- Determine what kind of DoD contracts you’ll aim for. If you think you or your subcontractors will have access to or generate CUI, you’ll need to be certified at Level 3 or higher.
- Make sure you already comply with relevant DoD cybersecurity requirements. You must bring your cybersecurity protocols into compliance with DFARS 252.204-7012 at the least, or you won’t get certified above Level 2.
- Review DoD guidance. With final rule months away, DoD has provided guidance that identifies practices and other regulatory requirements that contractors must meet at each CMMC level. If your firm implements these items, you’ll be well-positioned when the department issues its final rule.
For further guidance on CMMC, reach out to CAVU’s federal market experts to create a strategy customized to your firm’s business goals.