DFARS Compliance: Intro Guide for DoD Contractors
The Cybersecurity Maturity Model Certification (CMMC) is meant to help protect controlled unclassified information (CUI) from being compromised by hackers. CUI refers to information that is not explicitly classified but could compromise national security if accessed by malicious parties.
Organizations that support the Department of Defense need to meet specifications to ensure that data is protected to the required levels. Any companies that work with controlled unclassified information are legally required to implement controls and cybersecurity measures to protect data. CMMC requires that contractors prove their data security practices through an official accreditation process.
Related Content: Understanding A Security Controls Review: What You Need To Know
In November 2021, the Pentagon rolled out CMMC 2.0, which reduced the number of certification levels from five to three, and allowed for company self-assessment in some cases. Let’s look at each of the new levels to get a better understanding of how contractors in the Defense Industrial Base (DIB) better assess and improve their cyber security posture by ensuring all DoD contractors implement appropriate cyber security practices and procedures to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
CMMC 2.0 Level 1: Foundational
Level 1 requires organizations to engage in basic cybersecurity practices. CMMC level 1 is required for companies focused on the protection of Federal Contract Information (FCI). Level 1 is based on the 17 practices from Federal Acquisition Regulation (FAR) Clause 52.204.21.
. The level one practices help to establish a solid security posture to achieve the higher levels of the model and are required to be completed by all certified organizations.
CMMC 2.0 Level 2: Advanced
Level 2 is meant to provide a framework of advanced cyber hygiene for companies protecting Controlled Unclassified Information (CUI). Level 2 includes 110 practices aligned with NIST 800-171 and satisfies Federal Acquisition Regulation Supplement (DFARS) clauses 252.204-7012, 252.204-7019, and 252.204-7020.
CMMC 2.0 Level 3: Expert
Level 3 is considered expert cyber hygiene for the highest priority programs with Controlled Unclassified Information (CUI). The new CMMC 2.0 guidelines focus the level 3 framework on reducing risks from vulnerability to advanced persistent threats (APTs) by requiring an organization to establish, maintain and resource a plan to manage the activities needed to implement its cyber security practices. This strategy may incorporate data on goals, missions, resources, training plans, and stakeholder involvement. Level 3 builds on Level 2 by adding the controls found in NIST SP 800-172.
Who Needs CMMC 2.0 Certification
CMMC 2.0 certification is required for all contractors and subcontractors in the DIB at the level their contract stipulates. Contractors that do not comply with this requirement won’t be able to bid for new contracts or receive a contract until they can demonstrate their compliance with the required level in the agreement.
The CMMC Certification Process Via CMMC Consultant or Self-Assessment
Whether you decide to engage in a CMMC self-assessment or work with an expert CMMC consultant, there are a few steps you’ll need to take to properly show you meet the requirements for the level of CMMC in your contract.
- CUI Discovery
- CMMC Readiness Assessment
- Build a Remediation Plan
CUI Discovery: Identify Protected Data
To protect CUI, it’s necessary to determine where it is held and how it is transferred. This step sounds simple but requires some groundwork. Just identifying what is considered CUI and finding where it is in your network is a big task. Controlled data includes contact information, names or identification numbers, and any technical data. In any case, your contract should specify exactly what information you need to protect.
If you complete this step before going for your CMMC audit, you can save costs by focusing solely on systems that handle CUI. However, we strongly recommend taking this opportunity to increase your entire organization’s cybersecurity in general.
CMMC Readiness Assessment
Are you aware of where you may have gaps in your security strategy? Conducting a Readiness Assessment will help you understand exactly where you need to focus your efforts to meet the CMMC tier required of your organization. This information is then used to create a remediation plan. If you are required to submit a self-assessment, a gap analysis will meet that requirement. At level 2 in the CMMC 2.0 framework, where most contractors will find their contracts, controls need to be in place, documented, and have two pieces of evidence available.
Building Your Remediation Plan
A remediation plan is a task list of the identified corrective action needed from your self-assessment or NIST 800-171 DoD Assessment. For the latter, this becomes your POAM – Plan of Action and Milestones. This plan should involve best practices and processes that show the details of how cybersecurity controls are implemented, who owns each control, and when implementation will be complete.
If your gap analysis reveals that your organization already has the necessary controls, great! Your remediation plan is the opportunity to document that fact and provide evidence. If not, the remediation plan can provide recommendations for adding required controls and suggestions for limiting the scope of compliance through segmenting networks and keeping compliance strictly to the networks and people who are working with CUI.
SCA is a CYBER-AB Registered Practitioner Organization (RPO) and offers the below CMMC consulting services to help DoD contractors satisfy DFARS and CMMC requirements:
NIST 800-171 DoD Assessment
CMMC Readiness Assessment
System Security Plan Program
Remediation Progress Reviews
Centurion ESO (Executive Security Officer)
View our CMMC Marketplace listing here