26 Nov 2021
What DoD Contractors Need To Do While Waiting for CMMC updates
The Department of Defense’s (DoD’s) Office of the Under Secretary of Defense for Acquisition and Sustainment recently issued a long-awaited overhaul to its Cybersecurity Maturity Model Certification (CMMC) program. The DoD introduced CMMC 2.0, which streamlines the CMMC program via a significant set of updates, including:
- Lowering the number of CMMC levels from 5 to 3
- Dropping all maturity process requirements
- Allowing limited:
- Self-attestation of compliance
- Plan of Action and Milestones (POAMs)
To help make sense of these developments, we share our perspective on the CMMC changes, along with recommendations for any Defense Industrial Base (DIB) company on how best to move forward.
It’s Still All About Protecting The Data
The most important takeaway from the shift to CMMC 2.0 is that DFARS 252.204-7012, NIST SP 800-171, and (International Traffic in Arms Regulations) ITAR remain the law of the land and are required for handling controlled unclassified information (CUI) or (ITAR) data in the performance of many DoD contracts. Incident reporting, forensic snapshots, FIPS 140-2 encryption, and all 110 NIST 800-171 controls are required in full effect for companies handling CUI or ITAR data.
The DoD also announced plans to strengthen the basis of the CMMC program by aligning the Code of Federal Regulations (CFR) language with DFARS. That is, CMMC 2.0 will remove any ambiguities stemming from DFARS Interim Rule 2019-D041, Clause 7021, which had previously been relied upon to implement CMMC. Codifying CMMC 2.0 through the federal rulemaking process will provide the clarity needed to effectively enforce and measure cyber compliance across all commands and agencies.
CMMC Audits Are Not Going Away
While we wait for CMMC 2.0 to make its way through the DoD rulemaking process, remember that the DFARS remains in force. Just like the IRS can audit a taxpayer, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) could select a contractor for a NIST 800-171 audit. You will want to be sure that your company is implementing adequate data protections and is on a path toward achieving a good NIST 800-171 score, which now must be filed in the DoD’s Supplier Performance Risk System (SPRS) System.
Remember, too, that CMMC will be back upon completion of the rulemaking process—and so will third-party assessments for at least some contractors. The bottom line is that it makes a lot of sense to stay in compliance with the current rules while keeping an eye on the future rules that lie ahead.
CMMC Enforcement Is Real
Have you seen the Department of Justice’s (DoJ’s) new Civil Cyber-Fraud Initiative to hold contractors accountable for cybersecurity? The DoJ is now utilizing the power of the False Claims Act to help enforce cybersecurity compliance and is encouraging whistleblowers to come forward. A new task force will focus on investigating reports of contractors choosing to withhold reports of breaches or falsify claims of compliance scores. The Defense Contract Management Agency (DCMA) is already enforcing DFARS compliance via DIBCAC audits. Further, prime contractors have a huge stake in making sure their suppliers are representing their security programs accurately–and taking action by dismissing those that do not.
PTG Can Help Boost Your CMMC Score and Protect Your Data
Case in point: A customer recently underwent a DIBCAC high audit for NIST 800-171 and achieved a near perfect 109 out of 110 SPRS score using PTG’s policies, procedures, and security control layers such as Zero Trust, end to end encrypted, email and file storage as an essential part of their overall cybersecurity program.
Recent guidance from NSA and POTUS strongly advise the adoption of Zero Trust principles to protect data, as opposed to continuing with traditional perimeter-based approaches. Our encryption service was designed from the ground up based on modern Zero Trust principles and uses end-to-end encryption to protect information. The file sharing and secure messaging features protect your CUI with unmatched security. Further, ITAR compliance comes built-in because the data is end-to-end encrypted with FIPS 140-2 validated encryption, and the service provider has no access to decryption keys ever.
Our solutions are easy to use and deploy in hours, not months, with no disruption to existing IT systems. One key benefit of a simple-to-deploy system is that is costs far less to own and manage. And your employees will actually use this solution for storing and sharing sensitive data because it is so intuitive and easy to use.
For companies that have migrated to the cloud or plan to do so, note that commercial off-the-shelf cloud services for files and email are not DFARS compliant. Higher-priced cloud migrations like Microsoft GCC High are available but come with significant disruption and costs.
Conclusion – CMMC 2.0 reinforces strategy to move ahead with NIST 800-171
The DoD’s requirements to protect CUI are still very much in effect while CMMC 2.0 works its way through the federal rulemaking process. Noncompliance carries significant enforcement and business risks. Without question, companies that do work for the DoD need to keep up with their compliance initiatives and continue to raise their NIST 800-171 scores towards 110.
Now is the time to implement a DFARS-compliant cybersecurity program; contractors won’t have time to react later when CMMC 2.0 becomes law, or when an audit is coming their way. Companies that are prepared and compliant will have competitive advantages when contracts are awarded, new rules emerge, or audits happen.
Realization of CMMC 2.0 will take time, but until then, data protection remains a top priority for national security. Defending the DIB’s attack surface and protecting data from our nation’s adversaries remains a never-ending challenge well worth the effort required.