ARTICLE
Brought to you by the Construction Technology committee and member Bill Vann, Data Net Solutions Group For companies doing business with the Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) has been a source of confusion for nearly five years. CMMC is a certification process designed to measure a company’s maturity and institutionalization of cybersecurity practices and processes. The CMMC program, announced by the DoD in 2021, was initially projected to take up to two years with completion of the rulemaking expected by March 2023, and CMMC 2.0 language appearing in contracts by May 2023. Unfortunately, the DoD has been delayed more than seven months in sending the rule package to the Office of Management and Budget (OMB) for evaluation. The proposed CMMC rule published in November 2021 was reviewed by the OMB in January 2023. The DoD has suspended any CMMC 2.0 pilot efforts and will not approve inclusion of a CMMC 2.0 requirement in DoD solicitations until the CMMC 2.0 changes become effective. The latest objective timeline for implementing contractor compliance with CMMC 2.0 requirements is FY 2025. Rule Making Detail All DoD contractors are currently responsible for all 110 of the NIST 800-171 practices. With CMMC 2.0 they will be required to meet at a minimum Level 1 (foundational, with 17 required cybersecurity practices and annual self-assessments) which can be self-attest to the satisfaction of associated requirements or Level 2 (advanced, with 110 required practices aligned with NIST 800-171). What changes now for DoD contractors? The recent slip in the CMMC 2.0 rulemaking and rollout does not affect the DIB contractors materially, as the DoD's official compliance timeline remains FY 2025. The difference between NIST 800-171 and CMMC 2.0 is that CMMC 2.0 requires contractors to be assessed and accredited by a CMMC 3rd Party Assessment Organization (C3PAO). The current DFARS clauses 7012, 7019 and 7020 remain in effect and continue to appear in DoD contracts: DFARS 7012 mandates that DIB organizations self-attest to full NIST 800-171 compliance DFARS 7019 makes these compliance scores available to DoD officials in the Supplier Performance Risk System (SPRS) database. DFARS 7020 gives the DoD's Defense Contract Management Agency (DCMA) the right to access a DIB organization's systems for performing their own NIST 800-171 compliance assessment. Companies with these DFARS clauses in their current DoD contracts must follow NIST 800-171 with all of the 110 controls in place to protect controlled unclassified information (CUI). Despite the challenges with the CMMC rollout, the DoD remains committed to protecting CUI across the DIB, and prime contractors are enforcing 800-171/CMMC cybersecurity requirements to participate in RFPs. Failure to comply with DFARS contract requirements will have business and legal impacts. With cyber threats on the rise, companies with insufficient cybersecurity posture to protect CUI are at risk. Expert support is recommended to identify gaps in DFARS/CMMC compliance posture and to plan for achieving provable security and compliance. Contact the AGC Construction Technology committee for a list of preferred vendors.
Brought to you by the Construction Technology committee and member Bill Vann, Data Net Solutions Group
For companies doing business with the Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) has been a source of confusion for nearly five years. CMMC is a certification process designed to measure a company’s maturity and institutionalization of cybersecurity practices and processes. The CMMC program, announced by the DoD in 2021, was initially projected to take up to two years with completion of the rulemaking expected by March 2023, and CMMC 2.0 language appearing in contracts by May 2023. Unfortunately, the DoD has been delayed more than seven months in sending the rule package to the Office of Management and Budget (OMB) for evaluation. The proposed CMMC rule published in November 2021 was reviewed by the OMB in January 2023. The DoD has suspended any CMMC 2.0 pilot efforts and will not approve inclusion of a CMMC 2.0 requirement in DoD solicitations until the CMMC 2.0 changes become effective. The latest objective timeline for implementing contractor compliance with CMMC 2.0 requirements is FY 2025. Rule Making Detail All DoD contractors are currently responsible for all 110 of the NIST 800-171 practices. With CMMC 2.0 they will be required to meet at a minimum Level 1 (foundational, with 17 required cybersecurity practices and annual self-assessments) which can be self-attest to the satisfaction of associated requirements or Level 2 (advanced, with 110 required practices aligned with NIST 800-171). What changes now for DoD contractors? The recent slip in the CMMC 2.0 rulemaking and rollout does not affect the DIB contractors materially, as the DoD's official compliance timeline remains FY 2025. The difference between NIST 800-171 and CMMC 2.0 is that CMMC 2.0 requires contractors to be assessed and accredited by a CMMC 3rd Party Assessment Organization (C3PAO). The current DFARS clauses 7012, 7019 and 7020 remain in effect and continue to appear in DoD contracts:
Companies with these DFARS clauses in their current DoD contracts must follow NIST 800-171 with all of the 110 controls in place to protect controlled unclassified information (CUI). Despite the challenges with the CMMC rollout, the DoD remains committed to protecting CUI across the DIB, and prime contractors are enforcing 800-171/CMMC cybersecurity requirements to participate in RFPs. Failure to comply with DFARS contract requirements will have business and legal impacts. With cyber threats on the rise, companies with insufficient cybersecurity posture to protect CUI are at risk. Expert support is recommended to identify gaps in DFARS/CMMC compliance posture and to plan for achieving provable security and compliance. Contact the AGC Construction Technology committee for a list of preferred vendors.