The impending impact of CMMC on the DoD supply chain

Cybersecurity maturity model certification (CMMC) and NIST SP 800-171 compliance are crucial for current and future DoD-related opportunities for companies. Understand three certification levels and seven reasons to start now.

By Joe Coleman April 2, 2024
Courtesy: Bluestreak Consulting.

 

Learning Objectives

  • Understand the potential consequences of choosing not to implement CMMC in the future of their businesses.
  • Understanding the importance about cybersecurity maturity model certification (CMMC) and how to get started on the implementation process.

 

CMMC 2.0 insights

  • The impending release of CMMC 2.0 by the Department of Defense (DoD) mandates cybersecurity certification for handling controlled unclassified information (CUI), affecting defense contractors’ present and future opportunities. CMMC  stands for Cybersecurity Maturity Model Certification.
  • CMMC 2.0 introduces three certification levels, emphasizing increasing cybersecurity measures. Levels range from foundational practices for small businesses to expert-level requirements for those handling the most sensitive DoD contracts.
  • The shift to CMMC 2.0 brings contractual, security and competitive ramifications for defense contractors. Compliance ensures eligibility for DoD contracts, secures the defense supply chain and enhances data protection.

The push is on for any organization within the Department of Defense (DoD) downstream services supply chain and the Defense Industrial Base (DIB) to prepare for the full release of the Cybersecurity Maturity Model Certification (CMMC) 2.0. This release effects any company that stores, processes or transmits controlled unclassified information (CUI) in any way as part of its service offerings.

Non-compliance can significantly impact present and future business opportunities for companies in the DoD supply chain. To continue engaging in defense-related work, companies are obligated to obtain CMMC 2.0 certification once the final rule is fully implemented, which is coming soon.

Figure 1: CMMC certification and NIST SP 800-171 compliance are crucial to current and future DoD-related opportunities. Compliance is required for companies in the DoD supply chain. Courtesy: Bluestreak Consulting.

Figure 1: CMMC certification and NIST SP 800-171 compliance are crucial to current and future DoD-related opportunities. Compliance is required for companies in the DoD supply chain. Courtesy: Bluestreak Consulting.

On Dec. 26, 2023, the DoD unveiled the proposed CMMC 2.0 rule, making a pivotal step toward unifying cybersecurity requirements for contractors and subcontractors within the Defense Industrial Base (DIB). Addressing the gaps in existing Defense Federal Acquisition Regulation Supplement (DFARS) clauses, the rule will establish a central tool ensuring continuous compliance with cybersecurity standards. This rule follows the change from CMMC 1.0 to CMMC 2.0 that happened in November 2021. The final rule is expected in the first quarter of 2025. At that time the CMMC 2.0 proposed rule is defined and released, these requirements will begin to be included in DoD contracts, request for proposals (RFPs) and request for information (RFIs).

Understanding the three CMMC 2.0 certification levels

CMMC 2.0 represents the latest iteration of the DoD’s cybersecurity regulations. This framework builds on the requirements laid out in DFARS 252.204-7012, 7019, 7020 and 7021 and in NIST SP 800-171 security controls, introducing more stringent criteria for assessing a contractor’s or subcontractor’s cybersecurity capabilities. CMMC 2.0 consists of three maturity levels, each building on the previous level. Each tier of the CMMC 2.0 framework incorporates a set of processes, practices, procedures and capabilities that contractors must implement to achieve the corresponding certification level. These three levels are:

Level 1 – Foundational

  • Level 1 of CMMC 2.0 is referred to as the “foundational” level and represents the most basic level of security, requiring the implementation of fundamental or basic cybersecurity hygiene practices like password management and keeping systems up to date with patches. This level is designed for small businesses with minimal risk to their data and their customers’ data.

  • Level 1 is based on 17 specific controls outlined in NIST SP 800-171 Rev. 2. It serves as a great starting point for organizations that are either beginning their cybersecurity journey or operating with limited resources.

  • Companies that handle Federal Contract Information (FCI) need to obtain a Level 1 certification. However, these businesses are not classified as part of critical infrastructure, including the majority of business and government agencies. This level is NOT intended for companies that handle CUI.

Figure 2: On Dec. 26, 2023, the DoD unveiled the proposed CMMC 2.0 rule, making a pivotal step toward unifying cybersecurity requirements for contractors and subcontractors within the Defense Industrial Base (DIB). Courtesy: Bluestreak Consulting.

Figure 2: On Dec. 26, 2023, the DoD unveiled the proposed CMMC 2.0 rule, making a pivotal step toward unifying cybersecurity requirements for contractors and subcontractors within the Defense Industrial Base (DIB). Courtesy: Bluestreak Consulting.

Level 2 – Advanced

  • Level 2 builds upon the cybersecurity hygiene practices of Level 1 and requires additional measures to be implemented. Level 2 is based on NIST SP 800-171 Rev. 2 requirements and includes 110 security controls. These controls focus on control families, such as access control, incident response, risk management, physical security and system and information integrity.

  • Certification at Level 2 is mandatory for companies handling CUI on behalf of the DoD or DoD prime contractors and is applicable to businesses considered part of critical infrastructure. Critical infrastructure is defined as businesses included in the Defense Industrial Base (DIB), businesses in the DoD supply chain, or businesses that stores, processes or transmits CUI in any way.

Level 3 – Expert

  • Level 3 is the highest level of CMMC certification and includes the most stringent security measures. Based on NIST SP 800-171 Rev. 2, Level 3 includes additional practices from NIST SP 800-172. These extra practices focus on more rigorous detection and response capabilities, information protection and enhanced system hardening requirements.

  • Level 3 certification is required for the same types of companies that require Level 2 certification, but also handle CUI in the most sensitive or higher-security assurance levels of DoD contracts. Businesses required to comply with CMMC Level 3 certification are assessed by the Federal Government’s Defense Contract Management Agency (DCMA). Details of the assessment process for Level 3 are currently being developed and finalized.

Seven reasons to start the CMMC 2.0 process

CMMC 2.0 is an enhanced version of the CMMC 1.0 framework developed by the DoD to enhance the cybersecurity posture of defense contractors and their supply chain. Contractors and subcontractors should be particularly concerned about CMMC 2.0 for several reasons, especially if they’ve not started the process:

  1. Contractual requirement: Defense contracts may and eventually will mandate compliance with CMMC 2.0. To participate in DoD-related contracts, businesses need certification and must adhere to the cybersecurity standards outlined in CMMC 2.0. For NIST SP 800-171 compliance (as NIST 800-171 has no certification) can range roughly between $25,000 to $100,000. The cost to become CMMC 2.0 certified can range from between $75,000 to more than $250,000. Roughly, this can take from between 9 to 24 months for compliance.

  2. Supply chain impact: CMMC applies not only to prime contractors but also to subcontractors and their suppliers within the DIB. Businesses in the DoD supply chain may need to meet specific cybersecurity maturity levels to ensure the overall security of the defense ecosystem.

  3. Increased security standards: CMMC 2.0 introduces higher cybersecurity standards and maturity levels compared to CMMC 1.0. Businesses must assess and enhance their cybersecurity measures to meet the specified requirements, which may involve investments in technology, processes and training.

  4. Data protection and confidentiality: Businesses often handle sensitive information related to defense contracts, including designs, specifications and other proprietary data. CMMC 2.0 emphasizes the protection of CUI, and businesses must implement measures to safeguard this information.

  5. Competitive advantage: Being CMMC certified provides a distinct competitive advantage for businesses. It demonstrates a commitment to cybersecurity and can increase the trust and confidence of the DoD and its prime contractors, as well as other key customers.

  6. Continuous monitoring and improvement: CMMC is not a one-time certification but requires continuous monitoring and improvement. Businesses must establish robust cybersecurity practices and maintain them over time to stay compliant. CMMC 2.0 certification assessment must be performed by an outside-certified CMMC Third-Party Assessment Organization (C3PAO). This certification needs to take place every 3 years to remain certified. Each business must also perform their own self-assessment every year along with a senior business officer attesting to this compliance. NIST 800-171 compliance can be achieved through self-attestation and submitting a score to SPRS (Supplier Performance Risk System) each year.

  7. Potential impact on business operations: Not being certified to CMMC 2.0 could lead to disqualification from defense-related contracts. Companies may face business disruptions and loss of opportunities if they fail to meet the DoD’s cybersecurity requirements.

Figure 3: The Cybersecurity Maturity Model Certification (CMMC) 2.0 program is the next iteration of the DoD CMMC cybersecurity model. It simplifies requirements into three levels of cybersecurity and aligns requirements at each level with well-known and widely accepted NIST SP 800-171 cybersecurity standards. Phased roll-out begins first-quarter 2025, but don’t wait until then to begin. Courtesy: Department of Defense (DoD)

Figure 3: The Cybersecurity Maturity Model Certification (CMMC) 2.0 program is the next iteration of the DoD CMMC cybersecurity model. It simplifies requirements into three levels of cybersecurity and aligns requirements at each level with well-known and widely accepted NIST SP 800-171 cybersecurity standards. Phased roll-out begins first-quarter 2025, but don’t wait until then to begin. Courtesy: Department of Defense (DoD)

How to get started with CMMC 2.0

Because CMMC 2.0 is not yet fully released, it incorporates security requirements outlined in NIST SP 800-171 Rev. 2. NIST SP 800-171 and CMMC 2.0 present significant challenges, requiring a substantial effort. The timeline for achieving full compliance can range between 12 to 24 months, with the majority of businesses aiming for a Level 2 certification.

NIST SP 800-171 Rev. 2 is a set of cybersecurity standards and guidelines developed by the National Institute of Standards and Technology (NIST) to protect CUI in non-federal systems and organizations. It’s part of the broader framework provided by NIST SP 800-171 Rev. 2 to enhance the cybersecurity posture of businesses and secure sensitive information. CUI includes information that is not classified but still requires protection, such as technical data, proprietary information and other sensitive unclassified information.

Beginning first-quarter 2025, the DoD will begin a phased CMMC 2.0 roll-out, starting with CMMC Level 1 and 2 self-assessment requirements for all new contracts and solicitations. Six months later, CMMC Level 2 certification assessments will be mandatory for all new contracts and solicitations. Do not wait to be NIST SP 800-171 compliant before the full CMMC rollout to improve your security standings in your non-federal systems.

Don’t risk current and future business with non-compliance

Enforcing these DoD regulations requires substantial effort and investment from contractors and subcontractors. However, the business advantages of compliance also are substantial. Adherence to these regulations can aid contractors in reducing the risk of cybersecurity breaches, preserving their reputation and maintaining their eligibility to compete for DoD contracts. Choosing not to implement these requirements can lead to the forfeiture of existing contracts and the inability to bid on new ones. Business in compliance with these regulations also may be regarded as more dependable and trustworthy partners by the DoD and their prime contractors.

This is an enormous project that is both time-consuming and expensive. It is highly recommended to seek help from a qualified NIST SP 800-171 and CMMC consultant or a CMMC-registered practitioner. It is not recommended trying to do this on your own because of the complexity and time required.

Joe Coleman is the cybersecurity officer for Bluestreak Consulting. Edited by Chris Vavra, web content manager, CFE Media and Technology, cvavra@cfemedia.com.

Keywords: cybersecurity, DoD supply chain, CMMC

CONSIDER THIS

What are the biggest obstacles for you to become complaint with CMMC 2.0?


Author Bio: Joe Coleman is the cybersecurity officer for Bluestreak Consulting.