Proposed Rule: CMMC Program 2023-27280 Summary

Enhancing Cybersecurity: An Overview of the Proposed Cybersecurity Maturity Model Certification (CMMC) Program for 2023-27280

In the pursuit of bolstering national defense capabilities, a proposed rule, titled “Cybersecurity Maturity Model Certification (CMMC) Program 2023-27280” (26 Dec), has been introduced. This rule aims to establish a robust and adaptable assessment mechanism, the CMMC Program, to ensure that defense contractors and subcontractors have implemented essential security measures.

Key Points:

  1. Comprehensive Security Measures: The proposed rule outlines requirements for a comprehensive and scalable assessment mechanism, the CMMC Program. This initiative is designed to guarantee that defense contractors and subcontractors have integrated the necessary security measures.
  2. Statutory Changes: Notably, this proposed rule communicates changes to the 32 Code of Federal Regulations (CFR), specifically addressing National Defense statutory requirements. It signifies a crucial step in aligning regulations with evolving cybersecurity needs.
  3. DFARS Implementation: A separate rule is anticipated to be issued to address the integration of the CMMC Program into the Defense Federal Acquisition Regulation Supplement (DFARS) framework (48 CFR). This will encompass modifications to existing Department of Defense (DoD) solicitation provisions and contract clauses, such as DFARS 252.204-7021, which outlines CMMC requirements.
  4. Unresolved Aspects: Despite the proposed rule’s advancements, there remain uncertainties surrounding certain aspects of the CMMC Program. One significant unknown is the timeline for permitting self-assessments for CMMC Level 2 designations.

The introduction of the proposed rule for the Cybersecurity Maturity Model Certification (CMMC) Program marks a pivotal moment in enhancing the cybersecurity posture of defense contractors and subcontractors. As the regulatory landscape evolves, a keen focus on the forthcoming rule addressing DFARS implementation will provide further insights into the practical application of CMMC requirements within the defense procurement framework. Stay tuned for updates on the evolving landscape of cybersecurity regulations in the defense sector.

CMMC Level 1: A Closer Look at Compliance Evolution and New Protocols

In the dynamic realm of cybersecurity, staying abreast of compliance requirements is paramount for defense contractors and subcontractors. This blog post aims to dissect the intricacies of CMMC Level 1, highlighting established compliance essentials and shining a spotlight on novel protocols that have been introduced to fortify security measures.

Compliance Essentials:

  1. FAR Clause 52.204-21(b)(1) Requirements: (NOT NEW)
    • CMMC Level 1 mandates compliance with the 15 requirements/controls listed in FAR clause 52.204-21(b)(1). These serve as foundational elements for securing unclassified information systems owned or operated by contractors. FAR clause 52.204-21 addresses systems that process, store, or transmit Federal Contract Information (FCI).
    • Defining Federal Contract Information (FCI): FCI is classified as information not intended for public release, provided by or generated for the Government under a contract to develop or deliver a product or service. It excludes information disseminated by the Government to the public or basic transactional details necessary for payment processing.

New Protocols:

  1. Annual Self-Assessment Verification: (NEW)
    • A significant addition to CMMC Level 1 involves the introduction of an annual self-assessment verification process. Contractors and applicable subcontractors are now mandated to verify, through self-assessment, the implementation of all applicable security requirements in FAR clause 52.204-21. This proactive measure is designed to ensure continuous adherence to established security standards.
    • Submission to SPRS: The results of these self-assessments must be diligently entered into the Supplier Performance Risk System (SPRS), providing a transparent record of the cybersecurity measures in place.
  2. Annual Affirmation of Continuing Compliance: (NEW)
    • Another noteworthy addition is the requirement for a senior official from both the prime contractor and any applicable subcontractor to annually affirm continuing compliance. This annual affirmation serves as a strategic checkpoint, reinforcing the commitment to upholding and evolving cybersecurity practices.
    • Upload to SPRS: The documented affirmation of compliance must be uploaded to the Supplier Performance Risk System (SPRS), enhancing transparency and accountability in the compliance process.

In Conclusion:

CMMC Level 1 not only establishes foundational compliance requirements but introduces new and proactive protocols. As the industry adapts to these changes, the incorporation of annual self-assessment verifications and affirmations of continuing compliance signifies a forward-looking approach toward continually improving and reinforcing the cybersecurity posture of defense contractors. Stay informed and stay secure as we navigate the evolving landscape of cybersecurity standards.

CMMC Level 2: Navigating the Requirements and New Protocols

As defense contractors and subcontractors continue to adapt to the evolving landscape of cybersecurity, it’s crucial to delve into the specifics of CMMC Level 2. This blog post explores the compliance essentials, highlighting existing requirements and shedding light on significant new protocols introduced to fortify information security practices.

Compliance Requirements:

CMMC Level 2 mandates compliance with 110 requirements and controls outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2. This adherence is specified by the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021. It’s important to note that these requirements are not new but provide a comprehensive framework for securing unclassified information systems handling Covered Defense Information (CDI).

Defining Covered Defense Information (CDI):

CDI, as defined in DFARS, encompasses unclassified controlled technical information or other information listed in the Controlled Unclassified Information (CUI) Registry. It necessitates safeguarding or dissemination controls in line with laws, regulations, and government-wide policies. Essentially, CDI equates to CUI and includes information marked in the contract or developed, received, transmitted, used, or stored by the contractor in support of the contract.

New Protocols:

  1. Triennial Verification: A notable addition to CMMC Level 2 involves the introduction of triennial (every 3 years) verification procedures. Contractors and applicable subcontractors are now required to verify the implementation of all applicable security requirements in NIST SP 800-171 Rev 2. The results of these verifications must be diligently entered into the Supplier Performance Risk System (SPRS).
  2. Assessment Requirements: As determined by the Department of Defense (DoD), contracts will now include either a self-assessment requirement or a Certification Assessment requirement by a CMMC Certifier. This nuanced approach allows for flexibility in meeting the certification criteria based on DoD determinations.
  3. Affirmation of Compliance: Post-assessment, a senior official from both the prime contractor and any applicable subcontractor is mandated to affirm compliance. This affirmation must occur after every assessment and, subsequently, on an annual basis. The documented proof of compliance is to be uploaded to the Supplier Performance Risk System (SPRS).

In Conclusion:

CMMC Level 2 not only reinforces existing requirements but introduces crucial new protocols to enhance the cybersecurity posture of defense contractors. As the industry adapts to these changes, the integration of triennial verifications, diverse assessment requirements, and annual affirmations signifies a proactive approach toward continual improvement and vigilance in securing Covered Defense Information. Stay informed and stay secure as we navigate the evolving landscape of cybersecurity standards.

CMMC Level 3: New Horizons and Protocols for Advanced Cybersecurity

As cybersecurity standards continue to evolve, defense contractors find themselves navigating the intricacies of the Cybersecurity Maturity Model Certification (CMMC). In this blog post, we unravel the nuances of CMMC Level 3, spotlighting both its distinctive certification requirements and the introduction of novel protocols to fortify information security practices.

Certification Requirements:

  1. CMMC Level 2 Certification Pre-Requisite:
    • CMMC Level 3 serves as the next frontier, building upon Level 2 certification. To achieve Level 3, contractors must first obtain Level 2 CMMC certification. This prerequisite ensures a foundational level of cybersecurity maturity before advancing to the more sophisticated Level 3.
  2. Integration of NIST SP 800-172 Requirements: (NEW)
    • A pivotal addition to CMMC Level 3 involves compliance with 24 selected requirements from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172. This integration reflects an advanced layer of security measures, addressing specific elements crucial for protecting sensitive information.
  3. Focused Applicability:
    • CMMC Level 3 is designed to apply primarily to a select group of defense contractors and subcontractors. This subset plays a critical role in supporting the Department of Defense’s (DoD) most vital programs and technologies. The tailored approach ensures that the most stringent cybersecurity measures are implemented where they matter most.

New Protocols:

  1. Triennial DoD Assessment: (NEW)
    • In a departure from the annual self-assessment model, CMMC Level 3 introduces a triennial (every 3 years) Department of Defense (DoD) assessment. This external evaluation, conducted by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), ensures a thorough and objective review of implemented security requirements from NIST SP 800-172.
    • Electronic Transmission to SPRS: Assessment results are entered into the Enterprise Mission Assurance Support Service (eMASS), facilitating electronic transmission into the Supplier Performance Risk System (SPRS). This streamlined process enhances transparency and accountability in reporting.
  2. Annual Affirmation of Compliance: (NEW)
    • Post-assessment, a senior official from both the prime contractor and any applicable subcontractor is mandated to affirm compliance annually. This reaffirmation serves as a continual commitment to upholding and evolving cybersecurity practices, further solidifying the security posture of Level 3 contractors.

In Conclusion:

CMMC Level 3 represents a significant step forward in the quest for advanced cybersecurity maturity. By building on the foundation of Level 2 certification and incorporating stringent requirements from NIST SP 800-172, Level 3 introduces a tailored approach to security. Embracing triennial assessments and annual affirmations, Level 3 sets a high standard for defense contractors supporting the most critical programs and technologies. Stay informed and stay secure as we traverse the evolving landscape of cybersecurity standards.

Understanding CMMC Applicability: Navigating Compliance Requirements

In the realm of cybersecurity compliance, the Cybersecurity Maturity Model Certification (CMMC) serves as a crucial framework for defense contractors and subcontractors. In this blog post, we delve into the applicability of CMMC, shedding light on who it affects and the nuances surrounding its implementation.

Key Applicability Points:

  1. Scope of Applicability:
    • CMMC applies to all Department of Defense (DoD) contract and subcontract awardees tasked with processing, storing, or transmitting information that meets the standards for Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on contractor information systems.
  2. Exclusions:
    • Notably, CMMC does not extend to Government information systems operated by contractors on behalf of the Government. Additionally, acquisitions exclusively for Commercial Off-the-Shelf (COTS) items or those falling under the micro-purchase threshold are exempt from CMMC requirements.
  3. Responsibility for CMMC Level Selection:
    • The responsibility for selecting the appropriate CMMC Level falls on DoD Program Managers or Requiring Activities. They base their decision on the type of information, whether FCI or CUI, that will be processed, stored, or transmitted through a contractor information system.
  4. Potential Waivers:
    • While DoD Service Acquisition Executives or Component Acquisition Executives may, in rare instances, opt to waive the inclusion of CMMC Program requirements in a solicitation or contract, it’s crucial to note that contractors and subcontractors remain obligated to comply with all applicable cybersecurity and information security requirements. For instance, adherence to FAR 52.204-21 and DFARS 252.204-7012 remains imperative.
    • Upcoming Waiver Procedures: It’s worth mentioning that specific procedures for obtaining waivers will be outlined in the forthcoming rule detailing DFARS implementation.

In Conclusion:

Understanding the applicability of CMMC is foundational for defense contractors seeking compliance with cybersecurity standards. As the DoD emphasizes the significance of securing information systems, contractors must navigate the nuances of CMMC requirements, exceptions, and potential waivers. Stay tuned for updates as the forthcoming rule on DFARS implementation is set to provide additional insights into waiver procedures and further refine the compliance landscape. Stay informed and stay secure as we navigate the evolving terrain of cybersecurity standards in government contracts.

Navigating the CMMC Implementation Journey: A Comprehensive Overview

As the Department of Defense (DoD) ushers in the Cybersecurity Maturity Model Certification (CMMC), defense contractors are gearing up for a transformative compliance landscape. This blog post aims to provide a comprehensive overview of the anticipated four phases of CMMC implementation and the flow-down requirements to subcontractors.

CMMC Implementation Phases:

Phase 1:

  • Initiates on the effective date of the CMMC revision to DFARS 252.204-7021 (still forthcoming).
  • DoD aims to introduce CMMC Level 1 and CMMC Level 2 Self-Assessments for applicable solicitations and contracts as prerequisites for contract award.
  • The option exercise on existing contracts may also include CMMC Level 1 or CMMC Level 2 Self-Assessments, as determined by the DoD.
  • A discretionary inclusion of CMMC Level 2 Certification Assessment (by a CMMC Certifier) in place of self-assessment may occur.

Phase 2:

  • Begins six months following the start date of Phase 1, incorporating all Phase 1 requirements.
  • CMMC Level 2 Certification Assessment (by a CMMC Certifier) becomes a condition for contract award.
  • DoD may delay the inclusion of CMMC Level 2 Certification Assessment to an option period, as deemed necessary.
  • An optional inclusion of Level 3 Certification Assessment (by DIBCAC) may also be exercised at the discretion of the DoD.

Phase 3:

  • Starts one calendar year after the initiation of Phase 2, encompassing all Phase 1 and 2 requirements.
  • CMMC Level 2 Certification Assessment (by a CMMC Certifier) becomes mandatory for contract award and option exercise under existing contracts.
  • CMMC Level 3 Certification Assessment (by DIBCAC) is introduced as a requirement for all applicable solicitations and contracts.
  • A discretionary delay of Level 3 Certification Assessment (by DIBCAC) to an option period may occur.

Phase 4 (Full Implementation):

  • Commences one calendar year following the start date of Phase 3.
  • CMMC Program requirements are integrated into all applicable DoD solicitations and contracts, including option periods on existing contracts.

CMMC Flow-Down to Subcontractors:

  • CMMC Level requirements extend to prime contractors and subcontractors at all tiers involved in processing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
  • Subcontractors handling only FCI require a CMMC Level 1 Self-Assessment.
  • Subcontractors dealing with CUI must undergo at least a CMMC Level 2 Self-Assessment.
  • If the prime contractor necessitates a Level 2 Certification Assessment, subcontractors are obliged to comply.
  • In cases where the prime contractor mandates a Level 3 Certification Assessment, subcontractors must meet at least a Level 2 Certification Assessment requirement.

International Subcontractor Considerations:

  • The Federal Register acknowledges concerns about applying CMMC to international subcontractors.
  • DoD’s response clarifies that all contractors, including international subcontractors, must comply with contract terms and conditions, including cybersecurity protections and assessments without special considerations.

As CMMC implementation unfolds in four phases, defense contractors need to be vigilant in adapting to evolving requirements. This comprehensive overview aims to guide them through the anticipated journey, emphasizing the importance of understanding the flow-down requirements and the universal application of CMMC standards to subcontractors, including those operating on an international scale. Stay informed and stay compliant as we navigate the path to a more secure defense contracting environment.

Attain CMMC and DFARS Compliance Affordably with Intech Hawaii’s Solutions

Intech Hawaii emerges as the leading and cost-efficient service provider tailored to assist businesses in handling Controlled Unclassified Information (CUI), an essential prerequisite for collaborations with the federal government. The CMMC accreditation body mandates unwavering compliance with DFARS requirements, irrespective of the specific CMMC certification level.

For Intech Hawaii, this solution functions as an economical and pragmatic tool for managing CUI risks within their supply chain. Subcontractors associated with the company can leverage Intech Hawaii to align with DFARS, streamlining the journey to CMMC certification in a shorter timeframe and at a considerably lower cost compared to navigating the process independently.

0/5 (0 Reviews)