CMMC applies to all Department of Defense contractors that handle classified government information.
united states of america. WASHINGTON DC NOVEMBER – NOVEMBER 24, 2016: Pentagon Building, the headquarters of the United States Department of Defense. Photo credit: Mia2you/Shutterstock
The Department of Defense’s proposed rule codifying the Cybersecurity Maturity Model Certification (CMCC) program was released in late December and is now open for comment until February 26, moving it one step closer to becoming a reality. If finalized, this rule will affect all contractors handling federal contracts. Information (FCI) and Controlled Unclassified Information (CUI) to prevent cyberattacks in the defense industrial base.
The program, called CMMC 2.0, outlines CMMC’s security controls for all three security levels, establishes processes to monitor compliance, and describes its role in ensuring the cybersecurity of the federal government, contractors, and third parties. Define. The rule applies to all Department of Defense contractors and subcontractors that “process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on contractor information systems.”
The only parties excluded are those with contracts that use only commercially available ready-made products and that do not exceed the threshold of small purchases.
“The easiest way to understand CMMC is to understand that CMMC is an assessment program designed to validate implementation of cybersecurity requirements. Importantly, however, the CMMC program itself CMMC examines cyber requirements that are imposed by other contract provisions, including: told GovCIO Media & Research.
Although CMMC changes much of how unclassified and unclassified information is handled outside the Department of Defense, it does not change the Federal Acquisition Regulations (FAR) or the Department of Defense FAR Supplement (DFARS). These are covered by separate rules.
What do the new rules include?
The new regulations, called CMMC 2.0, outline three levels, compared to the original five levels specified in CMMC 1.0.
- The first level of certification, Level 1, affects an estimated 63% of contractors and contracts and subcontracts that deal with FCI. Level 1 contractors must perform a self-assessment to ensure compliance.
- Level 2 affects an estimated 37% of contractors and is mandatory for contracts and subcontracts that deal with CUI.
- Only 1% of contractors are subject to Level 3 requirements, which are additional requirements to Level 2 contracts. At Level 2, the contract requires a self-assessment or certification assessment performed by a CMMC third-party assessment organization to ensure compliance. At Level 3, DOD further ensures compliance with NIST SP 800-172 regulations.
“This basic minimum standard was created with a lot of assumptions about what would already be in place. As it turns out, that’s not really the case. Most companies, especially large “When it comes to companies, we spend very little money on cybersecurity. It’s lower down the supply chain,” Horn said. “As soon as you get to Tier 2 and beyond, the existing maturity increases exponentially.”
Horn said the Pentagon is taking a firmer stance on cybersecurity requirements through the introduction of this rule, as small and large businesses alike are subject to lax standards.
This rule delegates authority to investigate active CMMC self-assessments or inaccurate CMMC certification assessments. This will be rolled out in stages, with organizations taking up to 30 months to integrate the new rules into their workflows.
However, Horn said that as market forces shift towards CMMC compliance, contractors and subcontractors are likely to become compliant ahead of the 30-month deadline.
“The main contractor plans to inform his subordinates immediately.”[contractors]’Let’s go get certified as soon as possible.’ And the market will push everyone to get certified, whether there’s a clause for that in their contract or not,” Horn said.
What’s next for CMMC?
Although CMMC applies specifically to the Department of Defense, the NIST 800-171 regulations that CMMC forces contractors to adhere to apply across the federal government, and other federal agencies face similar situations and issues. There is likely to be.
The rollout of the CMMC program is an early indicator of what’s to come for other institutions, Horn said.
“It’s really important to pay attention to the issues it identifies, the policy positions of government agencies, the public comments received from industry, and how they work together to determine policy. “Because that’s exactly the same situation as every other government agency,” Horne said. said.