Blog

The implementation of the Cybersecurity Maturity Model Certification (CMMC) framework will drive important changes impacting defense contractors and subcontractors. These changes, aimed at bolstering the collective security of the Department of Defense (DoD), the Defense Industrial Base (DIB), and the sensitive unclassified data they share, signal the next logical step in the evolution of cybersecurity standards and practices for defense contractors and subcontractors throughout the DoD supply chain to enhance its resilience and security. This blog breaks down the critical aspects of the CMMC Proposed Rule recently published in the Federal Register, what it means for those in the defense sector, and actions organizations should take to best adapt and align with these cybersecurity standards. 

What is CMMC? 

CMMC is a framework created to improve DIB organizations’ cybersecurity posture and better protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) throughout the DoD supply chain. 

• Alignment with NIST Standards: It closely aligns with the existing NIST SP 800-171 standards that many DIB companies already must meet today, promoting consistency and a smooth transition from existing requirements. 
• Assessment Requirements: Depending on which of the three CMMC maturity levels an organization pursues, companies may conduct a self-assessment or require third-party certification. The latter reflects one of CMMC’s most significant changes from current security requirements to achieve the DoD’s desired objectives. 

Understanding the CMMC Maturity Levels 

1. CMMC Level 1 (Foundational):
   • Targets organizations handling Federal Contract Information (FCI) 
   • Involves basic cyber hygiene practices outlined in FAR 52.204-21, encompassing 15 practices across six domains (Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communication Protections, and System and Information Integrity) 
   • Requires annual self-assessment and executive affirmation. 
2. CMMC Level 2 (Advanced):
   • Targets organizations handling Controlled Unclassified Information (CUI) 
   • Requires an institutionalized management plan to protect CUI, aligning with NIST SP 800-171, which includes 110 cybersecurity controls across 14 domains 
   • Includes development of a System Security Plan (SSP) and, if necessary, a Plan of Action and milestones (POA&M) to address deficiencies.  Identified POA&M’s must be closed within 180 days. 
   • Mandates independent assessments every three years, usually by a CMMC Third Party Assessment Organization (C3PAO) for most organizations, however some contracts will only require self-attestation. 
3. CMMC Level 3 (Expert):
   • Targets organizations working on highly critical defense programs 
   • Goes beyond Level 2 standards, requiring optimized processes and enhanced practices to counter advanced persistent threats (APTs) 
   • Includes 110+ controls, based on NIST SP 800-171 and additional controls from NIST SP 800-172 
   • Requires independent assessments every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) 

Publication of the Proposed Rule 

The CMMC Proposed Rule was published in the Federal Register on December 26, 2023, marking a pivotal step in the CMMC program’s evolution. This begins a 60-day public comment period, allowing stakeholders to voice their opinions, concerns, and suggested updates. This DoD will rely on this feedback to shape the final form of the CMMC. Key takeaways from the Proposed Rule include: 

1. Finalization of CMMC: The Proposed Rule’s publication brings us much closer to the adoption of Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7021, which officially makes CMMC accreditation mandatory for all bidders on contract solicitations which include the clause. Defense contractors and all their subcontractor teammates must achieve CMMC accreditation at the maturity level specified in the solicitation by the time of contract award. 
2. Security Controls at CMMC Maturity Level 2: The Proposed Rule stipulates that the security practices at CMMC Maturity Level 2 will align with the 110 controls in NIST SP 800-171 Revision 2 (r2), which are essential for contractors handling CUI and are required today by contracts that include DFARS clause 252.204-7012. 
3. Assessment Requirements: Most organizations seeking CMMC Maturity Level 2 certification will require assessment by accredited C3PAOs (CMMC Third Party Assessment Organizations) once every three years. 
4. POA&Ms: Plans of Action & Milestones (POA&Ms) to address any unfulfilled NIST SP 800-171 controls will be allowed under limited circumstances, with restrictions on the types of controls that can be POAMed and the duration of remediation (likely 180 days). 
5. Encryption Requirements: For defense contractors and Cloud Service Providers using encryption to protect CUI, a FIPS validated cryptographic module must be used. 
6. DFARS 252.204-7012 Compliance: This clause, focusing on cyber incident reporting requirements, will remain in place, affecting the use of commercial email systems. 

The Timeline 

• 60-Day Comment Period: This started on December 26 and will end on February 26, 2024. 
• Adjudication and Response: Post-comment period, DoD will adjudicate and respond to comments, a process that likely spans 6-12 months, with the final rule thus expected to take effect in late 2024 or early 2025. 

Preparing for CMMC 

Organizations need to take a structured approach as they navigate toward CMMC Maturity Level 2 compliance and accreditation. This includes understanding the extent and flow of CUI in their infrastructures, implementing necessary controls, conducting self-assessments, identifying and addressing gaps, and preparing for third-party assessments. 

Defense contractors must begin preparing for CMMC compliance now, regardless of the ultimate timing of the Final Rule and any phased implementation thereafter. The preparation process for achieving CMMC Maturity Level 2 certification, mirroring NIST SP 800-171 requirements, can take upwards of 12 months for a small to mid-sized company. Proactive measures today help ensure compliance and eligibility for future contracts. 

Achieving each level of CMMC compliance involves meeting specific cybersecurity requirements, with higher levels necessitating more advanced and comprehensive security measures. The path to certification, particularly for Level 2, can be streamlined by breaking down the process into manageable phases. 

Step-by-Step Guide to CMMC Level 2 Compliance 

Exostar provides a comprehensive roadmap to help businesses navigate the path and meet the required cybersecurity benchmarks to attain CMMC Maturity Level 2 compliance and accreditation. 

Mastering CMMC Maturity Level 2 involves a series of structured steps. Here is an overview, beginning with the crucial first step of defining the scope: 

Define Scope: 

• Document CUI Flow: Map out how Controlled Unclassified Information (CUI) moves within your network. 
• Interaction Analysis: Identify and diagram the interaction of people, processes, and tools with CUI to understand the system and data flow – where it is stored, who handles it, and what and to whom it is sent/received. 

Document & Implement:

• Team Engagement: Collaborate with internal teams and external partners for necessary information. 
• Implement Controls: Adhere to NIST SP 800-171 r2 controls. 
• Self-Assessment: Conduct an internal review to determine degree of compliance with each of these controls. 

• Documentation: Ensure thorough documentation of policies, their implementation, and evidence. 
• POAM Creation: Develop a Plan of Actions and Milestones for controls not fully implemented. 
• DAM Score: Create a Defense Assessment Methodology score to evaluate overall compliance status. 

Submit & Remediate: 

• DAM Score Submission: Submit the DAM score to the Supplier Performance Risk System (SPRS) as required by DFARS clause 252.204-7019. 
• POAM Management: Assign due dates for POAMs and track to closure, updating your DAM score in SPRS. 

Monitor & Manage: 

• Regular Reviews: Conduct mandatory reviews and updates per NIST SP 800-171 r2. 
• Stay Informed: Keep up–to date with changes to NIST SP 800-171, understanding that Revision 3 will likely be released in Spring 2024 and may impact requirements. 
• CUI Management: Properly mark CUI and report any incidents as required. 

Prepare for Assessment: 

• SSP Completion: Complete your comprehensive System Security Plan and ensure it addresses all POAMs. 
• Consolidate Documentation: Gather all necessary policies, procedures, and evidence. 
• C3PAO Engagement: Schedule and complete an assessment with a CMMC third-party assessment organization. 

Why Choose Exostar to Help Achieve CMMC Maturity Level 2 Compliance? 

Exostar’s roadmap for CMMC Maturity Level 2 compliance provides a structured and systematic approach to meeting the rigorous standards required in the defense industry. Exostar simplifies the compliance process, making it more efficient and less daunting for organizations. 

Exostar’s CMMC Ready Suite 

• Exostar’s Managed Microsoft 365: Enhances Microsoft 365 with additional cybersecurity features to safeguard your CUI, meeting 85 of the 110 controls required by NIST SP 800-171 

• Certification Assistant: Facilitates self-assessment against NIST SP 800-171 controls, auto-calculates the DAM score, and generates the SSP and POAMs 
• Exostar PolicyPro: Helps create, document, and maintain NIST SP 800-171 policies (either from scratch or using existing policies), leveraging a template library and AI engine 
• Basic Assessment Service: Offers third-party NIST SP 800-171/CMMC assessment and gap analysis, including submission-ready assessments 

As the defense sector moves towards a more secure and regulated future, companies must proactively adopt measures that align with CMMC 2.0. Exostar’s roadmap offers a clear and actionable path towards achieving and maintaining CMMC Maturity Level 2 compliance with Exostar’s CMMC Ready Suite, ensuring that organizations are ready to meet the new era’s challenges and opportunities. 

Conclusion 

The CMMC Proposed Rule marks an important and significant milestone in the cybersecurity landscape within the defense sector. Contractors and subcontractors must understand these changes and begin their compliance journey promptly. By staying informed and taking proactive steps, companies can navigate these updates successfully and maintain their standing in the defense supply chain. 

Get Ahead with CMMC 2.0 Compliance 

The upcoming CMMC 2.0 changes are crucial for all defense contractors. To ensure you’re ready and compliant, start assessing and upgrading your cybersecurity practices now. Need help? Reach out to our cybersecurity experts for guidance on meeting the new standards. Act today to secure your place in the defense supply chain of tomorrow.