In a recent interview between Robert Metzger and GovExec360 president Troy Schneider, Metzger urged DoD contractors to not wait for a final rule to come out on CMMC to start meeting compliance requirements — a stance that SysArc has taken for the last several years.  

Metzger is considered to be the ‘father’ of the Cybersecurity Maturity Model Certification (CMMC) due to the fact that he co-authored the “Deliver Uncompromised”, a report from Mitre, a nonprofit research firm behind many of the principles of CMMC. 

When asked about the date he would expect CMMC requirements to show up in contracts, Metzger said, “It doesn’t really matter. The smart move is to protect yourself. Now. Not because you have to comply but because you want your enterprise to stay in business. Don’t let yourself think that it matters what day you happen to get a request for information or request for proposals that requires an assessment. Be secure beforehand for the sake of your employees, your lenders, your clients, your customers, your investors. And then also your regulator.”

Many DoD contractors say they find CMMC to be too difficult, expensive, and complex to implement. This sentiment has led many contractors to shy away from implementing the very important requirements. In response to this, Metzger said, “We cannot decide that security is unimportant for small businesses. We cannot give them a waiver. But we must facilitate a means by which small businesses can accomplish security economically. That takes us away from on premise measures and towards external service providers. But we haven’t yet established a means by which a smaller company can look at a managed service provider, a managed security as a service provider, or some other external resource and say — “If I do my part and they do their part, then I’m going to accomplish some percentage of the CMMC requirements. We need that.”

What many small and mid-size businesses might not be aware of is that the market has been rapidly developing solutions for businesses to meet requirements already for the last several years. SysArc, for example, has been at the forefront of implementing cybersecurity requirements for our DoD contractor customers since 2017 when DFARS first became law. Since then we’ve been able to refine our offerings and considerably reduce the time and expense required to secure contractor information systems and get them properly prepared for CMMC — whenever the final rule is made. 

For more information on SysArc’s economical solutions for CMMC compliance, consider requesting a consultation here. Our team is happy to learn about your business and walk you through our process and associated costs to prepare for CMMC.

Since the beginning of the rollout of the Defense Federal Acquisition Regulation Supplement (DFARS) and now the Cybersecurity Maturity Model Certification (CMMC), much of the emphasis on the necessity of these programs has been on protecting national security. Also, the top down enforcement of these programs has led many DIB suppliers to focus less on the benefits of implementing cybersecurity controls within their organizations, and more on simply trying to “follow the law” so that they can continue to win government contracts — what many of these suppliers depend on to survive.

This article will cover two underemphasized benefits of DFARS and CMMC for DIB suppliers:

1. Protection from ransomware, data loss, downtime and liability
2. Ability to qualify for cyber insurance

Protection From Ransomware, Data Loss, Downtime and Liability

While protecting national security should be a priority for all DIB suppliers to embrace, additional emphasis might be placed on the fact that the cybersecurity controls in NIST 800-171 will help businesses protect themselves against ransomware, data loss and operational downtime — something that every business (even those outside of the defense supply chain) should be concerned about.

• Ransomware: This is when hackers infiltrate an DIB supplier’s computer systems. Once inside, they can lock out all authorized members of the organization from gaining access to data required to keep the business operational. They’ll then demand a ransom in exchange for the keys to unlock the data.
• Data Loss: Even if the ransom is paid, there’s no guarantee that an organization’s data will be fully or partially restored.
• Downtime: Even if organizations have backed up their data in a location that was not infiltrated by hackers, the process of restoring data and getting computer systems back online can be a substantial amount of time leading to financial and reputation losses.
• Liability: DIB suppliers can be held liable for the damages stemming from the theft of third-party data.

Ability to Qualify for Cyber Insurance

In the past two years, cyber insurance underwriters have significantly stepped up their requirements to ensure organizations have a certain level of cybersecurity solutions in place before they can qualify for cybersecurity insurance. Implementing NIST 800-171 controls will more easily enable DIB suppliers to qualify for cyber insurance and at a potentially lower rate due to their cyber risk being decreased.

Why would DIB suppliers need cyber insurance? While having cybersecurity controls in place substantially reduces the risk of cyber criminals wreaking havoc on a business, it does not 100% guarantee that a cyber breach will not occur. People within organizations make mistakes or can be malicious. Having cyber insurance can help organizations recover from the financial loss when all else fails.

Next Steps…

If your organization offers products and services to the DoD, then implementing NIST 800-171 is on your list of to dos. For organizations that would like to pursue implementation themselves, read our guide to CMMC compliance. If you lack the resources to implement controls yourself, consider outsourcing the task to a CMMC consultant, like SysArc. We’ve consulted with over 1,000 DIB suppliers on complying with DFARS and helping them get prepared for CMMC.

For those that want the key pieces of information of this article up front, here’s the key takeaways:

1. Expect an interim rule by March 2023
2. Expect CMMC requirements in DoD contracts in May 2023
3. All DIB suppliers who handle CUI (both non-prioritized or prioritized) will need to implement NIST 800-171 controls

Keep in mind that the dates above are not official and are only estimates based on the information we’ve been able to gather at the moment. For more context, please keep reading.

Where We’re At Now

CMMC requirements are currently within the federal rulemaking process for the Code of Federal Regulations (CFR) and Defense Federal Acquisition Supplement (DFARS). These two processes are required before CMMC requirements can be implemented.

Where We’re Going

According to a FedScoop article, Stacy Bostjanick, the Pentagon’s director of CMMC policy said, “We’re hoping by March of 2023, they will give us an interim rule. Now that’s not guaranteed. They could come back and say, ‘No, we don’t see the urgency of this meeting to be an interim rule and you will not be allowed to implement until you go through final rule.’” If an interim rule decision is made, there will be a 60-day public comment period, but the DoD would be able to implement CMMC requirements in contracts by May 2023, Bostjanick said.

Prioritized CUI and Non-Prioritized CUI

Though not explicitly referenced in the official CMMC 2.0 documentation, Bostjanick shared some insights regarding prioritized and non-prioritized controlled unclassified information, or CUI.

“For those companies that would handle non-prioritized CUI, the thinking is that they could merely do a self-assessment, an annual affirmation that they meet the requirements of the NIST 800-171 to handle the non-prioritized CUI. From our analysis, the non-prioritized CUI is going to be a smaller subset of the CUI that we deal with,” she said.

“Since companies don’t ever normally just do one contract with the DOD, they bid on multiple contracts, eventually, anybody who handles CUI and bids on more than one contract will most likely have to have a third-party assessment, because it’s only ever going to take one contract that you bid on that requires that third-party assessment to drive you to that level,” she added.

While definitions are currently being worked on, our understanding is that non-prioritized CUI is information that wouldn’t present much of an issue if it fell into the wrong hands. Prioritized CUI, rather, is sensitive information that if leaked, could present a national security risk or cause a loss of defense capabilities and/or competitive advantage.

Why All DIB Suppliers Need to Make CMMC Preparations Now

If they haven’t already, all businesses that provide products and services to the defense supply chain should not delay any further in their preparation to meet the requirements of CMMC regardless of whether they think they will have prioritized or non-prioritized CUI.

In light of the information that Bostjanick shared, SysArc CEO offers advice for DIB suppliers who are navigating CMMC. “The problem is that no DIB supplier is going to know ahead of time whether the contract they’re bidding on will have prioritized or non-prioritized CUI. Therefore it’s important that every contractor treats all contracts as if they will be dealing with prioritized CUI. Otherwise, they might find themselves potentially less likely to take CMMC preparation seriously and leave them unprepared for a third-party audit,” said Tim Brennan, CEO of SysArc.

“At the end of the day, the concern for businesses shouldn’t be whether they will deal with prioritized and non-prioritized CUI. That’s because all businesses who handle CUI, regardless of prioritized or non-prioritize, are required by law to have NIST 800-171 controls in place. The only question then is whether they will be required to pass a third-party assessment or only need to self-attest compliance. Ultimately it’s up to each company how much risk they want to take on,” he added.

Need Help Preparing for CMMC?

We’ve helped over 1,000 DoD suppliers and their primes navigate the complexities of DFARS, NIST 800-171, and CMMC. If you’re concerned about your company’s ability to prepare, feel free to give us a call or request a consultation. We’re happy to walk you through our process for getting companies like yours CMMC compliant faster and for less cost than other solutions on the market.

Reference:

Pentagon updates timeline for CMMC cybersecurity initiative

SysArc recently contributed to an Exostar panel discussion entitled “NIST 800-171 & CMMC 2.0 Non-Compliance: What’s the Risk?” featuring SysArc CEO, Tim Brennan and GDIT CISO, Michael Baker. Streamed live on April 27th, 2022 — This webinar was recorded and is available to watch below.

In this webinar we discuss the following:

• • Threat Landscape: Cyber threats that exist today for DIB suppliers and why we all should be concerned.
  • Getting Prepared: SSPs, POA&Ms, SPRS scores and what DIB suppliers need to be doing now to be ready and compliant for upcoming compliance audits. 
  • DIBCAC Assessments: DCMA continues to conduct random DIBCAC assessments on suppliers to enforce DFARS 7019 & 7020.
  • Common Questions from DIB Suppliers:
    • What is Controlled Unclassified Information (CUI)?
    • Regarding CMMC Level 2, who will need a third-party assessment and who will need a self-assessment?
    • We are a small company, are the requirements scalable?
    • Has a firm timeline been set for the requirements to be validated by Tier 1 manufacturers and who is responsible for enforcing compliance?
    • What happens if I haven’t submitted an SPRS score yet?
    • Will my Prime check to see if I’m compliant
    • As a small business with few employees we use POA&Ms to create processes to be compliant with NIST. Is this an acceptable long-term solution?

  Need Help with CMMC? SysArc Can Help

  We are a Managed Security Service Provider (MSSP) that specializes in helping DIB suppliers protect their information systems and comply with the cybersecurity regulations from the Department of Defense. We’ve consulted over 1000 companies and helped them navigate the complexities of DFARS, CMMC, and NIST 800-171. 

  To learn more about preparing for CMMC and how SysArc can help, please visit our CMMC guide here. If you’d like to speak with our team about your compliance needs, please feel free to give us a call or schedule a CMMC consultation. 

As a Managed Security Service Provider (MSSP) for Department of Defense (DoD) contractors throughout the United States it is one of our missions to keep Defense Industrial Base (DIB) companies updated on DFARS requirements and the rollout of CMMC. This is so they can meet the DoD’s cybersecurity requirements and continue to offer their products and services to the department without any delays or surprises.

With that said, it is critical for DIB companies to understand that the Defense Contract Management Agency (DCMA) is currently conducting random DIBCAC assessments on company’s IT systems to enforce DFARS 7019 and 7020. For contractors who have either failed to start implementation of cybersecurity requirements or have put them on hold, we advise to have them completed immediately.  

What is the DCMA?

The DCMA provides contract administration services for the Department of Defense (DoD) and is an essential part of the acquisition process. The agency manages 250,000 contracts, valued at more than $3.5 trillion. DCMA makes sure DoD, other federal agencies, and partner nation customers get the equipment they need, delivered on time, at projected cost, and meeting all performance requirements.1

What is DIBCAC?

DCMA oversees the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). DIBCAC is a team of technology professionals that perform two primary missions:

1. Assess DIB Supplier Cybersecurity: Assess DIB companies to ensure they are meeting contractually required cybersecurity standards. The team ensures contractors have the ability to protect controlled unclassified information for government contracts they are awarded.
2. Establish & Expand CMMC Assessment Capabilities: The DIBCAC is also a member of the government team establishing the Cybersecurity Maturity Model Certification (CMMC) program to expand cyber assessment capabilities throughout the defense industrial base. 

Source: https://www.dcma.mil/News/Article-View/Article/2981222/tech-team-wins-cybersecurity-award/

What are DIBCAC Assessments?

DIBCAC assessments are essentially audits of DoD contractor systems to ensure they have implemented the security controls of NIST 800-171 as required by DFARS 7019 & 7020.

According to John Ellis, the Technical Directorate’s Software Division director at DCMA, the following are problems that they are seeing regularly with the audits they have completed so far:

• Lack of Multi Factor Authentication (MFA)
• Poorly written or non-existent policies
• Lack of FIPS 140-2 validation for encryption solutions
• Poorly designed/implemented network segmentation

If a DoD contractor fails to pass a DIBCAC assessment, they may be ineligible to provide their products and services to the DoD. Because these assessments are currently being conducted, it is essential that suppliers are prepared now. 

Where to Get Help & How to Prepare

The laws and requirements of DFARS and CMMC can be daunting for many DoD contractors  — especially those that lack the resources and knowledge to implement security controls themselves. As a DFARS and CMMC consultant, we help DoD suppliers navigate the complexities of the DoD’s cybersecurity policies and have a team of cybersecurity professionals to implement security controls on their behalf.

To learn more about how to prepare for CMMC, visit our CMMC preparation guide. Also, feel free to give us a call or request on consultation. Whether you’re a small or large company, we’re happy to discuss your unique situation and help you find the best path to preparing for a DIBCAC assessment.   

Summary of Key Updates from CMMC 1.0 to 2.0

Below is a summary of the key changes you need to be aware of when understanding the difference between CMMC versions 1.0 and 2.0. For an in-depth guide into CMMC 2.0 changes, see here.

1. Only 3 CMMC Levels: CMMC Levels 2 and 4 from the original CMMC framework have been eliminated, leaving only 3 current CMMC Levels. These Levels are detailed below.
2. Level 1: Now only requires an annual self-assessment and affirmation by company leadership. No changes to the 17 basic cyber hygiene practices required.
3. Level 2: The “old” CMMC Level 3 now becomes Level 2. 20 controls have been eliminated from the original framework’s Level 3 requirements, leaving contractors only having to implement the 110 controls from NIST 800-171. The DoD will identify “prioritized acquisitions” that must undergo an independent third-party assessment against the new Level 2 requirements. All other organizations will only need to perform a self-assessment and affirmation by company leadership.
4. Level 3: This level will replace CMMC Levels 4 and 5 from the original framework. While details are still being worked out, it is expected that this level will include controls from NIST SP 800-172 and assessments will be government-led.

For more information about CMMC compliance and how to comply with CMMC 2.0, please read our CMMC Compliance Guide. If you have any questions about getting your organization in compliance, please don’t hesitate to give us a call or schedule a consultation.

Every organization within the Department of Defense (DoD) supply chain—including prime contractors and subcontractors—will be required to achieve at least one of the levels of CMMC compliance. According to the DoD, the CMMC compliance regulations will impact over 300,000 organizations.

Does My Organization Need CMMC Compliance?

If your organization is one of the following, you will need to achieve CMMC compliance in order to hold and be awarded contracts by the DoD:

• DoD prime contractors
• DoD subcontractors
• Any supplier within the DoD supply chain

Levels of Compliance

Depending on the amount and type of sensitive information your organization transmits, you’ll have to achieve one of 3 levels of CMMC compliance.

The DoD contract specifies which level of compliance an individual contractor must meet. For example, prime contractors may have to achieve Level 3 compliance while subcontractors may only be required to achieve Level 1.

Using the CMMC standards, organizations will be issued a score indicating the organization’s level of compliance. Each level requires you to comply with the previous level’s standards as well. The three levels are:

• Level 1 Foundational: Basic Cyber Hygiene. Level 1 focuses on basic cyber hygiene requirements. There are 17 practices that need to be implemented from FAR 52.204.21.
• Level 2 Advanced: DIB companies who send, receive and store controlled unclassified information fall into this category. There are 110 controls that must be implemented from NIST SP 800-171.
• Level 3 Expert: This level is for DIB companies who send, receive and store information from the Defense Industry’s high-risk programs. While details are still being worked out, it is expected that this level will include controls from NIST SP 800-172.

The CMMC Accreditation Body (CMMC-AB) is working to ensure that third-party assessments are available for contractors, subcontractors, and suppliers at each of the CMMC levels. In the meantime, organizations should consider working with a CMMC compliance consultant to prepare for their official audits because RPOs have gone through formal training, signed a code of ethics, and are more qualified and experienced than consultants that have not.

If you are interested in learning more about CMMC and the process for becoming compliant, please read our CMMC Compliance Guide. If you have any questions, don’t hesitate to give us a call or schedule a free consultation. Our team will be happy to help your organization navigate the complexities of compliance.

The process of becoming CMMC compliant can be broken down into three essential steps:

1. Assess your IT infrastructure
2. Remediate based on your assessment
3. Get assessment by C3PAO

Let’s walk through each in more detail.

Step 1: Assess Your IT Infrastructure

Typically the first thing you’ll need to do is conduct an assessment of your current IT infrastructure against the control framework that aligns with your desired CMMC Level. This is also called a gap analysis and is the basis for understanding what controls, processes and procedures need to be implemented to achieve compliance. Companies with the right resources will be able to conduct their own self-assessment, while some will need to outsource the assessment to a third-party, such as an CMMC Registered Provider Organization (CMMC RPO). Self-assessment resources can be found here and templates for System Security Plans (SSP) and Plan-of-action and Milestones (POA&M) can be found here and here, respectively.

Step 2: Remediate

The next step is remediation which involves the actual work to implement the controls, processes and procedures that are called out in the assessment. Again, companies with the resources may be able to perform the remediation work themselves, while others might consider utilizing an RPO. Even if a company does have the resources, an RPO will likely be able to do it faster and more efficiently.

Step 3: Get assessed by a C3PAO

For companies that need to meet CMMC Level 2 and 3, the last step to become CMMC compliant is to get an official assessment from a Certified Third-Party Assessor Organization (C3PAO). However, no assessments are currently being performed as the Assessors are being trained. The first assessments are expected to start in 2022.

When To Call In An Expert

If you are having trouble navigating the complexities of your self-assessment and/or developing an SSP and POA&M, it may be time to call in an expert to help. As one of the nation’s top CMMC experts, we’ve helped over 1000 DoD contractors get prepared for CMMC. Please feel free to request a consultation to speak with us about your challenges with CMMC, DFARS and NIST 800-171 and how we can help. Also check out our CMMC compliance guide for more information.

We recently presented in a webinar entitled, “CMMC 2.0, NIST 800-171 & Current Threat Landscape,” with the Small and Emerging Contracting Advisory Forum (SECAF).

In this webinar we discuss the following:

• Important changes with the release CMMC 2.0 and what this means for you
• DFARS 7012 and NIST 800-171
• The current theat landscape for the DIB
• Frequently Asked Questions from the community

Watch the webinar here: