DFARS compliance

26 Nov 2021

What DoD Contractors Need To Do While Waiting for CMMC updates

The Department of Defense’s (DoD’s) Office of the Under Secretary of Defense for Acquisition and Sustainment recently issued a long-awaited overhaul to its Cybersecurity Maturity Model Certification (CMMC) program. The DoD introduced CMMC 2.0, which streamlines the CMMC program via a significant set of updates, including:

  • Lowering the number of CMMC levels from 5 to 3
  • Dropping all maturity process requirements
  • Allowing limited:
    • Self-attestation of compliance
    • Plan of Action and Milestones (POAMs)

To help make sense of these developments, we share our perspective on the CMMC changes, along with recommendations for any Defense Industrial Base (DIB) company on how best to move forward.

It’s Still All About Protecting The Data

The most important takeaway from the shift to CMMC 2.0 is that DFARS 252.204-7012, NIST SP 800-171, and (International Traffic in Arms Regulations) ITAR remain the law of the land and are required for handling controlled unclassified information (CUI) or (ITAR) data in the performance of many DoD contracts. Incident reporting, forensic snapshots, FIPS 140-2 encryption, and all 110 NIST 800-171 controls are required in full effect for companies handling CUI or ITAR data.

The DoD also announced plans to strengthen the basis of the CMMC program by aligning the Code of Federal Regulations (CFR) language with DFARS. That is, CMMC 2.0 will remove any ambiguities stemming from DFARS Interim Rule 2019-D041, Clause 7021, which had previously been relied upon to implement CMMC. Codifying CMMC 2.0 through the federal rulemaking process will provide the clarity needed to effectively enforce and measure cyber compliance across all commands and agencies.

CMMC Audits Are Not Going Away

While we wait for CMMC 2.0 to make its way through the DoD rulemaking process, remember that the DFARS remains in force. Just like the IRS can audit a taxpayer, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) could select a contractor for a NIST 800-171 audit. You will want to be sure that your company is implementing adequate data protections and is on a path toward achieving a good NIST 800-171 score, which now must be filed in the DoD’s Supplier Performance Risk System (SPRS) System.

Remember, too, that CMMC will be back upon completion of the rulemaking process—and so will third-party assessments for at least some contractors. The bottom line is that it makes a lot of sense to stay in compliance with the current rules while keeping an eye on the future rules that lie ahead.

CMMC Enforcement Is Real

Have you seen the Department of Justice’s (DoJ’s) new Civil Cyber-Fraud Initiative to hold contractors accountable for cybersecurity? The DoJ is now utilizing the power of the False Claims Act to help enforce cybersecurity compliance and is encouraging whistleblowers to come forward. A new task force will focus on investigating reports of contractors choosing to withhold reports of breaches or falsify claims of compliance scores. The Defense Contract Management Agency (DCMA) is already enforcing DFARS compliance via DIBCAC audits. Further, prime contractors have a huge stake in making sure their suppliers are representing their security programs accurately–and taking action by dismissing those that do not.

PTG Can Help Boost Your CMMC Score and Protect Your Data

Case in point: A customer recently underwent a DIBCAC high audit for NIST 800-171 and achieved a near perfect 109 out of 110 SPRS score using PTG’s policies, procedures, and security control layers such as Zero Trust, end to end encrypted, email and file storage as an essential part of their overall cybersecurity program.

Recent guidance from NSA and POTUS strongly advise the adoption of Zero Trust principles to protect data, as opposed to continuing with traditional perimeter-based approaches. Our encryption service was designed from the ground up based on modern Zero Trust principles and uses end-to-end encryption to protect information. The file sharing and secure messaging features protect your CUI with unmatched security. Further, ITAR compliance comes built-in because the data is end-to-end encrypted with FIPS 140-2 validated encryption, and the service provider has no access to decryption keys ever.

Our solutions are easy to use and deploy in hours, not months, with no disruption to existing IT systems. One key benefit of a simple-to-deploy system is that is costs far less to own and manage. And your employees will actually use this solution for storing and sharing sensitive data because it is so intuitive and easy to use.

For companies that have migrated to the cloud or plan to do so, note that commercial off-the-shelf cloud services for files and email are not DFARS compliant. Higher-priced cloud migrations like Microsoft GCC High are available but come with significant disruption and costs.

Conclusion – CMMC 2.0 reinforces strategy to move ahead with NIST 800-171

The DoD’s requirements to protect CUI are still very much in effect while CMMC 2.0 works its way through the federal rulemaking process. Noncompliance carries significant enforcement and business risks. Without question, companies that do work for the DoD need to keep up with their compliance initiatives and continue to raise their NIST 800-171 scores towards 110.

Now is the time to implement a DFARS-compliant cybersecurity program; contractors won’t have time to react later when CMMC 2.0 becomes law, or when an audit is coming their way. Companies that are prepared and compliant will have competitive advantages when contracts are awarded, new rules emerge, or audits happen.

Realization of CMMC 2.0 will take time, but until then, data protection remains a top priority for national security. Defending the DIB’s attack surface and protecting data from our nation’s adversaries remains a never-ending challenge well worth the effort required.

Book your Penetration Testing procedure

with Petronella Technology Group today!

Schedule an Appointment

Schedule an Appointment

    Our clients are awesome!

    Based on 55 reviews.
    Jeremy Richards
    Jeremy Richards
    2020-03-13
    Petronella provides great advanced digital marketing and automation solutions for my business!
    Kate Swenson
    Kate Swenson
    2020-02-14
    Highly recommended for CMMC certification assistance! Excellent and affordable options for secure data hosting on local infrastructure. 5 stars!
    Tom Matzen
    Tom Matzen
    2020-01-25
    Petronella Technology Group helped us setup our sales and marketing automation, cybersecurity and compliance for our new Blockchain startup. Great to work with! Craig in particular really knows his stuff, can translate into non-tech speak, and has wisdom beyond his years. Highly recommend them.
    Justin Summers
    Justin Summers
    2020-01-14
    Craig is awesome! He is very professional and efficient with his work. I would definitely recommend Petronella Technology to anyone who needs state of the art service.
    Blake Rea
    Blake Rea
    2020-01-14
    Craig is an expert in his field. Impressed by his knowledge, A true pioneer in Cybersecurity. My business is safer thanks to Petronella Tech!
    Robert Friedman
    Robert Friedman
    2020-01-10
    For the last five years Craig has been the Contributing Editor for Cybersecurity for NC Triangle Attorney Law Magazine which I publish. His base of knowledge is always leading edge, pragmatic and early to understand for our readers who are not techies. He is patient and easy to work with.
    Tammy Everett
    Tammy Everett
    2020-01-10
    Craig Petronella, CEO of Petronella Technology Group provided the members of the Defense Alliance of North Carolina expert advice on cybersecurity and NIST compliance. Eye opening experience! Thanks so much!
    Julie Brown
    Julie Brown
    2020-01-09
    Craig and the Petronella Technology Group, Inc. team made HIPAA compliance for my small practice so simple and easy! They helped me with all of my HIPAA training, HIPAA Security Risk Assessment, Penetration Test, and HIPAA secure hosting so I can rest easy.
    Pivot Point
    Pivot Point
    2020-01-03
    Petronella Technology Group helped us with our marketing strategy for our new web startup. Awesome experience!!!!
    Richard Brunet
    Richard Brunet
    2019-12-30

    SCHEDULE AN APPOINTMENT

    Make It Happen Now

    CLIENT SUPPORT

    Don't Feel Stranded

    CONSULTATION

    Get Best Advice

    PAYMENTS

    Make A Payment

    Top