The Cybersecurity Maturity Model Certification (CMMC) Proposed Rule (CMMC 2.0) was released on December 26, 2023. This was a watershed moment for those who believed that CMMC was going away.

According to the Department of Defense, for the past decade or longer, the United States’ strategic competitors have been able to exploit vulnerabilities in the DoD supply chain by stealing U.S. intellectual property, impacting national security and decreasing the confidence in the security of products and services delivered to the DoD. Contractor facilities—including design, development, networks, supply chains and personnel—have been used by threat actors as cyber pathways to access government program organizations and systems to steal, alter and impact systems for their own objectives.

The CMMC program was developed to provide the DoD verification that defense contractors and subcontractors have implemented the prescribed cybersecurity standards. These apply to acquisition programs and systems for the safeguarding of government data during a government contract period of performance:

  • Federal Contract Information (FCI)
  • Controlled Unclassified Information (CUI)

Since 2017, Defense Contractors have had a DFARS 252.204.7012 clause in their contract by default requiring alignment with NIST Special Publication 800-171. Contractors have been attesting to implementing these requirements by nature of signing the contracts. In 2019 and 2022, the Department of Defense Inspector General (DoD IG) noted that these requirements were not being implemented by defense contractors. As such, the CMMC program was developed and then updated.

What Does That Mean for Organizations?

To be awarded defense contracts, or be part of a prime contractor’s supply chain, organizations must meet control requirements as applicable to the contract.

CMMC will be moving forward with a phased roll-out once adjudication of the 60-day comment period is completed. So, if you have been waiting to implement NIST 800-171 based on contract requirements (FAR 52.204.21 or DFAR 252.204-7012 and more recently 7019, 7020) it’s time to get started.

Why Should I Care?

Failure to submit a self-assessment score into SPRS means failure to bid and win on a DoD contract.

Failure to comply with NIST 800-171 controls and ultimately prepare for CMMC 2.0 means that your ability to bid and be awarded future contracts is no longer possible, or when this rule goes into effect current contract options years may not be awarded.

What Can I Do Now?

While similar steps are required for organizations to implement the NIST 800-171 controls, timelines vary based on an organization’s environment. Generally, it can take up up to 18 months to get prepared for a CMMC assessment.

Here’s a general checklist to guide you:

  • Review and understand your current contract requirements?[1]
  • Understand and document your organizations data flows?[2]
  • Identify your asset classification or which assets process, store or transmit CUI?
  • Review the organization’s information systems, networks and service providers to identify and establish the boundaries within which Controlled Unclassified Information (CUI) is processed, stored and transmitted.
  • Identify Service Providers that process, store or transmit CUI for CMMC Certification requirements or FedRAMP Moderate solutions.
  • Review and updated Technical Approach.
  • Identify and prioritize the gaps, and risks that need to be addressed to achieve the desired CMMC level?
  • Develop & Review System Security Plans & Plan of Action and Milestones (POAM).
  • Address outstanding POA&M’s by updating policies, processes and practices?

Withum is a Founding Member of the CMMC Industry Standards Council (CISC) and can augment your organization’s expertise with qualified individuals who partner with you on the journey toward meeting NIST SP 800-171 cybersecurity requirements.

Author: Jason Spezzano, Executive Cybersecurity Advisor | [email protected]

[1] Organizations MUST ensure they understand the type of CUI they handle. Information designated as CUI Specified has underlying laws, regulations or policies that apply. eCFR :: 32 CFR 2002.14 — Safeguarding.

[2] What type of data you process, store, and transmit and how does it come in, where does it go and how do you dispose it? (people, process, and technology)? Understanding your organizations data flows is foundational to understanding your assessment scope and CUI boundaries.

Contact Us

Preparing for CMMC? Reach out to us today to learn how our CMMC and NIST consulting services can streamline your path to CMMC compliance.