CMMC 2.0: You Cannot Afford to Wait

CMMC Model 2.0 was announced in November 2021 and will be implemented through the rule-making process.

The Two Rules Are:

  1. Part 32 of the Code of Federal Regulations (CFR) (Federal Acquisition Rules) (FAR)
  2. Part 48 of the CFR (Defense Federal Acquisition Regulation Supplement) (DFAR)

DoD contractors will be required to comply once rule-making is final. Both rules will have a public comment period and are expected to last through May 2023. At this point, CMMC requirements will begin to be included in DoD solicitations. Although rule-making will not be final until then, the DoD encourages contractors to continue improving their cybersecurity posture during the interim period while the rule-making is underway.

Best Practice for Protecting Controlled Unclassified Information

Some contractors have not completed their prerequisites to CMMC, which are based on the rules (CFR Part 32 and Part 48). All DoD contractors that store, process, and/or transmit Controlled Unclassified Information (CUI) must meet the following:

  1. FAR 52.204-21: “Basic Safeguarding” Cybersecurity Requirements for Federal Contractors” – 15 Security Controls
  2. DFARS Clause 252.204-7012: NIST SP 800-171 Self-Assessment – 110 Security Controls – complete by 12/2017
  3. DFARS Clause 252.204-7019: NIST SP 800-171 Self-Assessment [Reportable Score to Supplier Performance Risk System]
  4. DFARS Clause 252.204-7020: NIST SP 800-171 Independently Assessed by DCMA / DIBCAC [mostly large contractors)

At a minimum, small to medium businesses (SMB) must meet numbers 1, 2, and 3 above. The DoD contractor must meet the 15 basic safeguarding requirements (#1 above), conduct a self-assessment of the 110 security controls in NIST SP 800-171 (#2 above), and report your SPRS score based on that assessment (#3 above).

Do Not Wait to Prepare for CMMC Certification

Preparing for CMMC Level 2 is time-intensive and not a zero-sum game. The rule-making finalization may catch some DoD contractors off guard if the prerequisites are not completed.

CMMC Certification Cannot be Achieved Without Meeting the Prerequisites

The CMMC Ecosystem will be stretched and could be a mad rush to the finish line once final rule-making is completed. Starting the journey, if not already started, begins with the DFARS clauses. Doing nothing is not a plan; it’s risky and ignores FAR, CUI, DFARS, and CMMC compliance requirements.

Recommended Steps for CMMC Readiness

  1. Define your CUI boundaries:
    1. Know where CUI is
    2. Isolate CUI
    3. This should be done regardless of CMMC requirements, protecting CUI has been a requirement since 2015
  2. Develop your System Security Plan (SSP)
    1. Without an SSP, an SPRS score cannot be calculated.
    2. Lack of an SSP or an SSP that lacks sufficient detail will fail an assessment before the assessment has a chance to get off the ground.
    3. Most SSPs will be 50+ pages; many are 100+ pages.
  3. Ensure your NIST SP 800-171 self-assessment is completed
  4. Post your SPRS score if not done yet (per DFARS 7019)
    1. This is not an IT-only endeavor; non-IT stakeholders must be involved.
  5. Get familiar with CMMC 2.0 Source documents:
    1. CMMC Scoping Guidance
    2. CMMC Assessment Guides
    3. CMMC Assessment Process (on its way)
  6. Assign roles, responsibilities, and tasks 
    1. Recommend a Responsibility Traceability Matrix (RTM)
  7. Coordinate with your managed service providers (MSP) and cloud service providers (CSP)
    1. Ensure there is a Shared Responsibility Model (SRM) that establishes responsibility and accountability between your company and service providers
  8. Remediate all gaps found in the self-assessment
  9. Get an independent consultant to review (fresh eyes to review gaps or validate controls are implemented)

You Need a Strategy to CMMC Readiness

Plan a strategy for preparing for a CMMC assessment. A good way of doing this is to have a target date for CMMC readiness. Have no fear; this is within the DoD contractor’s control. Failing a CMMC assessment for certification has a significant financial impact as it could cause the contractor to be ineligible for contract award.

Start the journey now—especially if you have missed some checkpoints along the way!

Tony Buenger

Tony Buenger

CCISO, CISSP, CISM, CGEIT
Director, Governance, Risk, and Compliance

Tony Buenger is skilled and dedicated security and governance professional with decades of experience in the Department of Defense (DoD) cybersecurity consulting, planning and implementation. Tony is a retired Lieutenant Colonel with the U.S. Air Force with 22 years of service and spent 15 of those years working in the Pentagon and other DoD agencies to help modernize security infrastructure and systems. This work includes converting the USAF from DIACAP compliance to a more modern risk-based approach based on NIST and the Risk Management Framework (RMF).

The latest in Cybersecurity

Enter your email to get the latest news, updates,
and content on cybersecurity.

"*" indicates required fields