Someone once asked bank robber Willie Sutton why he robbed banks. Sutton replied, “Because that's where the money is.”
For would-be cybersecurity attackers, surely there’s no more attractive “bank” than government data. Thus, the U.S. Department of Defense (DoD) must do everything possible to protect that sensitive data from nefarious actors who would try to breach its defenses. You can imagine the volume and delicacy of that data!
Even if the DoD did everything right internally, it’s at risk if any partner or supplier has inadequate cybersecurity defenses—and there are many partners. As a result, several years ago, the DoD established programs to keep such systems safe, both within government agencies and with any organizations with which it partners.
If your company is among those partners – either as a direct contractor or subcontractor – listen up. One critical framework, the Cybersecurity Maturity Model Certification (CMMC), is being updated, and its changes will likely affect your organization’s workflow. Those effects will be felt particularly by small- and medium-sized businesses (SMBs) involved in government contracting.
The idea behind the framework is to protect any data for which the government is responsible, and to ensure compliance with cybersecurity best practices. Like a lot of governmental writing, the CMMC is detailed, meticulous, and ponderous. The contents can be daunting to understand, and feel impossible to comply with. However, adhering to those rules is necessary for any business that wants to provide services to the federal government (either directly or as a contractor to such a company).
A word of warning: There are a lot of three-letter acronyms – TLAs – to endure. If you work with the government or plan to, you probably need to get used to this.
Here’s the essentials of what you need to know.
The CMMC focuses on cybersecurity threats within the Defense Industrial Base (DIB). It is directed at contractors handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), ensuring those organizations meet the DoD’s cybersecurity standards.
Contractors and subcontractors follow the CMMC program to verify their ability to protect sensitive, unclassified information, whether that data is shared between the Department and its contractors and subcontractors or generated by the contractors and subcontractors. The CMMC acts as a mechanism to show that security requirements were implemented at each CMMC level (we’ll get to levels in a moment) and to maintain that status during the contract period.
To protect CUI, the Defense Federal Acquisition Regulation Supplement (DFARS) added a new requirement in 2017 for contractors and subcontractors that store, process, or handle CUI. Those partners had to comply with the 110 security controls outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), which has been updated several times since then.
Defining CUI is a deeper issue, but your business should expect it to be detailed in the contract materials. Worth noting: CUI used to be called For Official Use Only Information (FOUO), though that term is no longer used.
To address the weaknesses in that NIST system – for one thing, a plan’s timeline wasn’t required—the DoD created CMMC 1.0 in early 2020. This framework uses the processes and security implementation found among several standards including NIST, Federal Acquisition Regulation (FAR), and DFARS.
CMMC 1.0 had five levels of maturity progression, which aimed to determine an organization's cybersecurity maturity. They correlated to the following goals:
CMMC 1.0 addressed 17 high-level cybersecurity compliance categories (called domains) containing 43 capabilities (achievements to ensure cybersecurity objectives are met within each domain). The capabilities comprise 171 practices across the five maturity levels.
17 domains? 171 practices? Documentation for all of those?! Even if a would-be contractor or subcontractor was doing all the right things security-wise, filling in the forms was a tremendous amount of work – particularly for the SMBs that comprise most of the DIB. Given that meeting CMMC 1.0 was a requirement, those companies could no longer perform DoD work without the certification. Not to put too fine a point on it, but that was a problem.
The DoD tweaked CMMC twice (versions 1.1 and 1.2) but eventually concluded that the framework needed to be reworked to simplify it without losing sight of its cybersecurity goal.
And now we have the 2.0 version!
In December 2023, the DoD announced the CMMC 2.0 Proposed Rule, 32 CFR 170. By government standards, it’s been a lightning course ever since. In June 2024, the Proposed Rule went to the Office of Information and Regulatory Affairs (OIRA) for final approval, including setting an “effective date.” While OIRA can take as long as 120 days for its evaluation process, 60 days or more is a typical turnaround.
The final rule was posted on Oct. 15 and will go into effect on Dec. 16. The DoD will soon make CMMC compliance mandatory in some DoD contracts (a condition of contract award). By 2028, expect CMMC compliance to be mandatory in all DoD contracts.
Your takeaway: By early next year, this will be a relevant part of government contracts.
The new DoD regulation pares down cybersecurity requirements to minimize obstacles for businesses, but aims to do so without compromising cybersecurity standards.
For one thing, CMMC 2.0 has a more streamlined approach. Instead of the five levels of cybersecurity maturity in CMMC 1.0, there are now three:
Levels 2 and 3 certifications include 14 domains. The documentation regularly gives them two-letter abbreviations:
Which level applies to your organization? Expect the requirements to vary on a contractual basis depending on the data’s criticality and sensitivity. However, all contractors that process FCI must obtain a minimum Level 1 CMMC certification.
Despite efforts to simplify the CMMC program, it’s still complicated and time-consuming, especially for organizations new to the world of government contracting.
As you start on the path toward compliance, if the matter is relevant enough to your business for you to have reached this point in this article (for which we are grateful, thanks!), now is the right time to get your ducks in a row, or at least to acquire a brace of ducks for later organization.
What can you do now?
Even if everything isn’t copacetic when you bid on a contract, the DoD may let you use a temporary plan – but it’s best that you don’t need one.
Depending on the certification level, you may need to work with a Certified Third-Party Assessor Organization (C3PAO). These independent organizations assess companies to ensure they meet the DoD standards. CMMC Level 3 certification requires a government-led assessment in which an auditor evaluates your SSP, examines your security posture, and meets with your team before approving the company. These approvals are good for three years, after which the compliance dance begins again.
Are you ready to get started? Secure Ideas would love to help you assess your current cybersecurity posture and offer advice about your CMMC readiness. Contact us to get the conversation started!