3 min read
The US Department of Defense (DoD) wants all its current and potential contractors to achieve the highest standard in security and compliance levels. It is further tightening security hardening practices by implementing new and upgrading existing systems to manage risk effectively and ensure complete compliance across its internal departments and external partners.
2023 is going to be a critical year for defense contractors addressing Defense Federal Acquisition Regulation Supplement (DFARS) and Cybersecurity Maturity Model Certification (CMMC). With the strategic direction announced by the Department of Defense (DoD) to streamline the CMMC framework, the government’s program to standardize cybersecurity policies for contractors and subcontractors across the Defense Industrial Base (DIB) is now more evolved and better prepared to protect sensitive defense data.
The initial version of the CMMC was released by the US Department of Defense (DoD) in January 2020. In the past 2 years, owing to public comments the framework has undergone several internal assessments and subsequently significant changes leading to the upgradation of the framework to CMMC 2.0.
In line with this, the DoD is all set to release a new DFARS Interim Rule via the DFARS 7021 clause. This will standardize CMMC into a law that requires all new DoD contracts to include CMMC certification requirements. However, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take up to 24 months.
The deadline for DIB contractors and subcontractors to get completely compliant with CMMC 2.0 is tentatively May 2023. The DoD is motivating existing and potential contractors for early adoption of the framework. In fact, it is exploring options wherein early adopters can have their three-year certification timeline begin only once the rule is in effect. This is still under discussion and not confirmed yet.
The initial version of the CMMC program (CMMC 1.0) was instituted by the Interim Defense Federal Acquisition Regulation Supplement (DFARS) rule, Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041), effective November 30, 2020, which further implemented the DFARS clause 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement.
The aim of CMMC 1.0 is to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) accessed and managed by DoD external contractors and subcontractors. This program consisted of a 5 level-process that the contractors needed to follow to attain and maintain CMMC compliance. In March 2021, the Department initiated an internal assessment of CMMC 1.0, which pushed for an upgraded and refined implementation of the program, resulting in CMMC 2.0.
In short, the CMMC 1.0 was about strengthening and maturing the Department of Defense acquisition security and protecting controlled unclassified information (CUI) in the Defense Industrial Base (DIB) supply chain.
CMMC 2.0 enables organizations to execute CMMC with ease. It lays clear guidelines to deploy cybersecurity while clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards. Additionally, it reduces time and costs and instills a collaborative culture for security, risk management and resilience.
DIB contractors handling CUI for DoD are contractually obligated to comply with DFARS 252.204-701,2 which requires them to implement the NIST SP 800-171’s 110 security controls.
For this, organizations must get their SSP (System Security Plan), POA&M (Plan of Action and Milestones) and other necessary documents (Security and compliance posture report, Vulnerability scan report, etc.) in order to support NIST SP 800-171 self-assessment and submit the score to the Supplier Performance Risk System (SPRS). If you are a subcontractor, be prepared for impromptu audits by Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and or for your prime contractor to check in on your SPRS score.
It is vital to stay secure and compliant if you want your organization to continue to stay in business with DoD. Caveonix cloud ensures continuous monitoring for any drift in security and compliance posture on an on-going basis. This reduces the strain of manual asset threat assessment, complex tool configuration, and scheduling CI/CD pipeline scans to protect cloud workloads against malicious activity. Additionally, it ensures comprehensive visibility delivering detailed security findings and remediation plans.
Caveonix facilitates organizations with CMMC risk assessment consisting of analyzing potential threats across the organization’s cloud systems and assets, along with identifying any existing or planned controls that mitigate these threats and misconfigurations. The goal of this process is to identify vulnerabilities in cybersecurity processes so that organizations can address them before they result in data breaches or other security incidents.
Getting CMMC certified requires extensive planning and preparation—and must be done properly in order to ensure compliance with regulatory and industry compliance requirements, while adequately protecting data against cyber threats. Caveonix provides a unified, automated solution designed to help customers reduce the time to set up an environment for running secure, compliant and scalable workloads while implementing an initial security baseline that meets US federal government standards.
Our cloud security, compliance and risk management platform helps businesses put together the risk assessments and SSPs in order to understand exactly what information must be included in each document—and how best it can be used to protect their organizations against malicious actors, understand attack paths, and eliminate attack surface on who could potentially gain access to sensitive organizational data.
Staying continuously secure and compliant is a priority when you are preparing to obtain CMMC certification requirements. Here is how Caveonix Cloud can accelerate your progress to achieve and maintain CMMC:
“Everything at this point is pre-decisional. It is our intent that if a company adopts CMMC early, once CMMC becomes a rule, you will still have your CMMC certification valid for three years from that point. [While] understanding that if somebody brings up an issue with it and rulemaking we may not be able to continue with that.”
Chief of Implementation and Policy in DoD’s Office of the CIO.