In the past several years,(DoD) contractors have had to tackle a new initiative to ensure the security of the DoD and to protect government-related sensitive data – the ( ) program.
Introduced in 2020, the CMMC program requires any current or futureto receive before entering into a formal partnership or contract with the DoD. The certification process applies to and that handle security-sensitive data and information, including companies. However, it also applies to any or subcontractor with connection to the Department of Defense.
Even athat provides snacks for government vending machines or performs landscaping services for DoD offices will need to be , including . This can be a daunting process for contractors who are unfamiliar with the . However, with the right support and guidance, can achieve compliance and continue their partnership with the government.
History of Cybersecurity Maturity Model Certification (CMMC)
The High Risk of Not Having CMMC
What is the CMMC Program?
Understanding FCI and CUI
Navigating the Differences Between the Original CMMC and CMMC 2.0
What DoD Contractors Must Achieve Certification?
The Three Levels of CMMC 2.0
Does CMMC Apply to All Government-related Work?
How is CMMC Certification Achieved?
When it Comes to CMMC’s Unique Practices, Emeritus Can Help!
The Process of Obtaining the
There are multiplerequirements to take into consideration to achieve a specific , and the department-initiated rulemaking process is constantly changing.
In fact, shortly after the CMMC program was introduced in 2020, the Department of Defense announced an updated and enhanced CMMC 2.0 version was announced roughly a year later. Therefore, the government added an extra layer of best practices for DoD contracts.
If you are a company currently working with the Department of Defense (or want to work with the government via a Emeritus has a team of registered practitioners who can handle all the details of (and perform an intricate and individualized CMMC assessment). However, it’s helpful to understand the basics of the process to get started.in the future), understanding the should be a top priority.
History of the(CMMC)
Though introduced in 1986, well before the broader world had ever heard of the internet.is a hot topic and appears to be a concerning issue, federal government-based and requirements are by no means new. In fact, the first was
Before introducing theand the later , there were guidelines and documentation in place for and subcontractors to ensure communications protection and standards.
Before the National Institute of Standards and Technology’s 800-171 guide for protecting ( ). However, this process had its pitfalls and was somewhat ineffective. For one thing, these requirements were not necessarily monitored and were based on the self-assessment of (DIB) contractors., contractors were advised to follow the
As a result, manystandards fell by the wayside – not because ( ) contractors were negligent, but simply because these processes were not a priority in a .
The High Risk of Not Having CMMC
In a 2018 report issued by the Council of Economic Advisers (CEA), the economic costs of were thoroughly examined across all sectors, and the results were staggering.
Per the report,cost the U.S. economy between $57 billion and $109 billion in 2016 alone. Therefore, any attacks on critical infrastructure sectors – like the many-pronged facets of the DoD’s operations – would be highly damaging to the U.S. economy.
Reports like these, as well as a noticeable rise inactivity from the U.S. as well as abroad, led to a new rulemaking process for requirements.
The OSD Federal Register, the Department initiated an internal assessment of the original implementation that was informed by more than 850 public comments in response to the interim DFARS rule.was launched in 2020. According to the
Simply put, as the OSD federal register outlined, the proposed rules of the CMMC 1.0 were put to the test. Therefore, they were subsequently adapted and changed based on the CMMC program’s first few months of existence.
Thewas introduced in late 2021, and the changes reflected in the will be implemented through the rulemaking process, with all and expected to achieve by 2026.
Per the Department of Defense, the(CMMC) program is aligned with DoD’s information security requirements for .
Theis designed to ensure the protection of sensitive unclassified information shared between the Department of Defense and its contractors and subcontractors, including IT companies near me. The program assures the DoD that contractors and subcontractors are meeting the requirements. Additionally, these requirements apply to acquisition programs and systems that process controlled unclassified information.
Havingin hand means that contractors will have a better opportunity to bid (and win) contracts with the DoD, both now and in the future.
Understanding FCI and CUI
When it comes to the, there are two types of data or information that are generally protected from disclosure or unauthorized use:
- Controlled (CUI) requires safeguarding pursuant to and consistent with applicable laws, regulations, and government-wide policies.
- (FCI) is information not intended for public release and provided by or generated for the government under a contract to develop or deliver a specified product or service.
The majority of DoD contracts deal with controlled, unclassified information. However, both sets of data may need to meet thestandards of the maturity model certification (CMMC) process.
Navigating the Differences Between theand
On November 4, 2021, theannounced a new and strategic direction for the (CMMC) program, marking the completion of the internal program assessment that tested the original .
Per a DoD press release issued at the time of the launch of CMMC 2.0, the enhanced “CMMC 2.0” program maintains the program’s original goal of safeguarding sensitive information, with the following adjustments identified in the rulemaking process by:
- simplifying the CMMC standard and providing additional clarity on regulatory, policy, and contracting requirements.
- focusing on the most advanced standards and third-party assessment requirements on companies supporting the highest priority programs.
- increasing Department oversight of professional and ethical standards in the assessment ecosystem.
“CMMC 2.0 will dramatically strengthen theof the defense industrial base,” stated Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy, in the 2021 press release. “By establishing a more collaborative relationship with the industry, these updates will support businesses in adopting the practices they need to thwart while minimizing barriers to compliance with DoD requirements.”
The defense industrial base is the target of increasingly frequent and complexby adversaries and non-state actors. Through , bad actors can spiderweb into numerous systems and data, including sensitive federal contract information and other info that can be damaging to the government and the U.S. economy.
By enhancingto meet these advanced persistent threats and safeguarding the information that supports and enables all aspects of government operations, the government’s and acquisition leaders can minimize future .
WhatMust Achieve Certification?
Furthermore, any company with a(or bidding for a DoD contract) should achieve to cover all its bases. However, when it comes to creating a system security plan in order to maintain compliance with , there are multiple that outline the levels of standards that a company must adhere to.
Unlike the previous policies (like the NIST 800-171), the DoD-developed CMMC and CMMC 2.0 have multiple levels of best practices and processes. These range from “basic cyber hygiene” to more advanced cybersecurity measures that correlate with sensitive defense industrial base contracts.
Starting at, each level represents a higher tier of security. For a company to achieve certification at a higher level, it must demonstrate that they have also met the standards of the lower levels.
Note: One of the major changes inis that the number of levels changed from five in the original to just three, which still range from basic best practices to more advanced security measures.
The federal contract information typically outlines the CMMC level that a specific DoD contractor requires. However, the guidelines for each CMMC level are as follows:
Foundational Cyber Hygiene Practice: This level requires basic
? DoD contractors and subcontractors that handle (FCI) will typically need .
Advanced Cyber Hygiene Practice: This level requires all 110 NIST SP 800-171 Rev2 controls to achieve Level 2 certification. Level 2 practices are earmarked as advanced
? DoD contractors and subcontractors that handle CUI data connected to national security (regardless of whether it is critical or non-critical) will generally need to meet level 2 compliance.
Expert Cyber Hygiene Practice: This level includes advanced
? and subcontractors that handle CUI for with the highest priority or security will generally need to acquire Level 3 compliance.
DoesApply to All Government-related Work?
When it comes to the broader realm of public information,may not be required.
Public information is described as data that is “public release approved,” or which is data that is available from an uncontrolled, publicly available government source. This includes public information with media protection, like industrial output forecasts intended for general release and publication.
Handling public information does not require special controls and is not included in official. This means that and subcontractors that only work with public information (like media outlets), will likely not require .
Once CMMC 2.0 is officially implemented, allwill need to obtain a third-party .
The(The Cyber AB) will accredit ( ) and the Organization (CAICO).
Accredited C3PAOs will be listed on The Cyber AB Marketplace, and the DIB company will be fully responsible for obtaining the needed assessment and certification. This includes coordinating and planning the CMMC assessment.
After completing the CMMC assessment, thewill upload the assessment report into , which DoD can access and review.
It is estimated that by the end of 2025, all DoD contractors will be required to obtainand .
The Process of Obtaining
The most important question for most current and futurewhen it comes to is, “where should I begin?”
Achieving the variousmay require several adjustments to a company’s configuration management, physical protection measures, and other CMMC unique practices. This can all ensure a certain level of security when it comes to classified and unclassified information.
Also, keep in mind that as the rulemaking process evolves, any interim rule of the currentis subject to change. Achieving can be a challenging endeavor. Which is why a company’s certification acquisition leaders must review all aspects of their systems before requesting a third-party CMMC assessment.
When it Comes to CMMC’s Unique Practices, Emeritus Can Help!
Achieving(CMMC) takes time, possibly up to six months or even more. This is why it’s essential for current and future to have all their ducks in a row well before securing CMMC certification.
At Emeritus, we can help with these company-wide details, ensuring that the policies, solutions, and systems that you have in place meet the new standards of CMMC 2.0.
It’s essential to have cybersecurity measures in place, for your company’s security and to broaden your opportunities in the months, years, and decades ahead. The federal government works with contractors across all industries and specialties. That is why achieving CMMC compliance can open many new contracts and jobs that can rebound well into the future.
Let’s dive deeper into thepractices you have in place and how we can help you advance your policies and measures to the next level.
With Emeritus as your background, you can be well-equipped when it comes time to garner your . More importantly, you can ensure the right protection for your company inside and out regarding any that may appear ahead.