Waiting on the Final Rule Can Have Consequences for DoD Contractors

CMMC Model 2.0 was announced in 2021 and will be implemented very soon.

The Rules:

  • Part 32 of the Code of Federal Regulations (CFR) (Federal Acquisition Rules) (FAR)
  • Part 48 of the CFR (Defense Federal Acquisition Regulation Supplement) (DFARS)

All DoD contractors will be required to comply once rulemaking is final. A public comment period will last through May 2023, and DoD solicitations will include CMMC requirements.

Although rulemaking will not be final until this time, the DoD encourages contractors to continue improving their cybersecurity posture during the interim period while the rulemaking is underway.

CMMC Certification: Do Not Wait

Preparing for CMMC Level 2 is time-intensive and not a zero-sum game. The rulemaking finalization may catch some DoD contractors off guard if the prerequisites still need to be completed. CMMC certification must meet the prerequisites to be achieved.

The CMMC Ecosystem will be stretched and could be a mad rush to the finish line once final rulemaking is completed. If you have not already, start the journey with the DFARS clauses.

Doing nothing is not a plan; it’s risky and ignores FAR, CUI, DFARS, and CMMC compliance requirements.

Minimum CMMC Compliance Requirements

Some contractors still need to complete their prerequisites to CMMC, which are based on the rules (CFR Part 32 and Part 48). All DoD contractors that store, process, and/or transmit Controlled Unclassified Information (CUI) must meet the following:

  1. FAR 52.204-21: “Basic Safeguarding” Cybersecurity Requirements for Federal Contractors” – 15 Security Controls
  2. DFARS Clause 252.204-7012: NIST SP 800-171 Self-Assessment – 110 Security Controls – complete by 12/2017
  3. DFARS Clause 252.204-7019: NIST SP 800-171 Self-Assessment [Reportable Score to Supplier Performance Risk System]
  4. DFARS Clause 252.204-7020: NIST SP 800-171 Independently Assessed by DCMA / DIBCAC [mostly large contractors)

At a minimum, small to medium businesses (SMB) must meet numbers 1, 2, and 3 above. The DoD contractor must meet the 15 basic safeguarding requirements (#1 above), conduct a self-assessment of the 110 security controls in NIST SP 800-171 (#2 above), and report your SPRS score based on that assessment (#3 above).

Recommended Steps for CMMC Readiness

  1. Know where CUI is processed, stored, and transmitted
  2. Isolate CUI
  3. Document CUI boundaries
  4. Get familiar with CMMC 2.0 Source documents:
    1. CMMC Scoping Guidance
    2. CMMC Assessment Guides for Level 1 and Level 2 (Level 3 is still undefined)
    3. CMMC Assessment Process (currently still in draft)
  5. Develop a detailed System Security Plan (SSP) in accordance with CA.L2-3.12.4 (a CMMC prerequisite)
    1. Lack of SSP or an SSP that lacks sufficient detail will fail an assessment before the assessment has a chance to get off the ground
    2. Most SSPs will be 50+ pages; many are 100+
    3. Assign roles, responsibilities, and tasks
    4. Non-IT stakeholders must be involved as this is not an IT-only endeavor
    5. Recommend a Responsibility Traceability Matrix (RTM) that outlines organizational roles and responsibilities for each CMMC Practice
    6. Recommend defining all 320 assessment objectives
  6. Analyze Gaps against DFARS 252.204-7012, DFARS 252.204-7019, and eventually DFARS 252.204-7021
    1. Use CMMC assessment Guide for Level 1 or Level 2 as appropriate
    2. Ensure NIST SP 800-171 self-assessment is completed (CMMC prerequisite)
  7. Post SPRS Score in accordance with DFARS 252.204-7019 (also a CMMC prerequisite)
    1. Recommend the SPRS Score be calculated based on the architecture to isolate CUI
  8. Coordinate with External Service Providers (ESP) based on the CMMC Scoping Guide
    1. Complete a Shared Responsibility Model (SRM) that establishes responsibility and accountability between your organization and service providers
    2. Annotate in the SSP
  9. Remediate all gaps found in the self-assessment
  10. Get an independent consultant to review (fresh eyes to review gaps or validate controls are implemented).

DoD Contractors Should Plan a Strategy

Plan a strategy for preparing for a CMMC assessment. A good way of doing this is to have a target date for CMMC readiness. This is in the DoD contractor’s control. Failing a CMMC assessment for certification has a significant financial impact as it could cause the contractor to be ineligible for contract award.

Start the journey now, especially if you have missed some checkpoints along the way!

For more information, contact us today!

Tony Buenger

Tony Buenger

CCISO, CISSP, CISM, CGEIT
Director, Governance, Risk, and Compliance

Tony Buenger is skilled and dedicated security and governance professional with decades of experience in the Department of Defense (DoD) cybersecurity consulting, planning and implementation. Tony is a retired Lieutenant Colonel with the U.S. Air Force with 22 years of service and spent 15 of those years working in the Pentagon and other DoD agencies to help modernize security infrastructure and systems. This work includes converting the USAF from DIACAP compliance to a more modern risk-based approach based on NIST and the Risk Management Framework (RMF).

The latest in Cybersecurity

Enter your email to get the latest news, updates,
and content on cybersecurity.

"*" indicates required fields