According to the Cybersecurity & Infrastructure Security Agency, the Defense Industrial Base Sector is the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements

The supply chain poses a serious threat to sensitive government and unclassified information, as well as to national security. There are over 250,000 DIB enterprises and their subcontractors, including local and international entities, operating in the sector.

To maintain the needed levels of security for government information, various federal government entities have created cybersecurity frameworks. Each has contributed to the advancement of high security levels and has had an impact on each other. There are two main cybersecurity frameworks the US government uses to reduce supply chain risk.

The National Institute for Standards and Technology (NIST) is a US government organization that develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies and the broader public. The standards that NIST provides have a great influence on national security, as well as the cybersecurity of private businesses. Specifically, NIST has created standards for federal agencies to manage the cybersecurity of third parties they work with.

Any non-federal organization that processes, stores, or transmits controlled unclassified information (CUI) or other sensitive information must comply with NIST SP 800-171. It explains how businesses should safeguard this information. The intention is to fortify the federal supply chain and ultimately safeguard overall national security.

It normally takes around six months to execute 800-171, which consists of 110 controls grouped into 14 control families. The 14 control families are:

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Personnel Security
  10. Physical Protection
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

You must be compliant with all 110 controls in order to satisfy the DFARS 7012 clause. DFARS is still a requirement in the majority of government contracts. This applies to you, no matter if you are bidding on a contract or have been given the job. Although the CMMC is not mentioned at all in the DFARS, a new clause is currently being created for this purpose.

The Department of Defense (DoD) requires its contractors and subcontractors to have a 3rd party validate these controls are implemented. The Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC). This was to ensure the security standards of their supply chain are upheld. The DoD wants to give the DIB the protections it needs to deal with changing threats and protect the data inside.

Because of the growing number of security incidents involving defense information, the DoD developed version 1.0 back in 2020. DFARS and NIST 800-171 are the foundations for CMMC compliance, which also covers all 110 controls.

There were 5 maturity levels in CMMC Version 1.0 at first. Every level improves on the one before it. To advance through version 1.0’s levels of maturity, you must start at level 1. At this level, you must demonstrate both the technical practices and maturity procedures.

The DoD conducted an internal evaluation of the CMMC in March 2021, and in November 2021, it made substantial revisions public. Five levels were reduced to three levels in the new CMMC Version 2.0, which we’ll go into more detail about below.

Why was the CMMC needed by the DoD if it is mostly based on NIST 800-171?

CMMC was put in place after a 2017 audit revealed that barely 60% of DoD contractors were compliant with NIST 800-171. In response, the DoD started requiring defense contractors to self-assess using a points-based system to demonstrate compliance in 2020.

Contractors must report their results to the DoD’s Supplier Performance Risk System after completing the self-evaluation (SPRS). It is also necessary to have an SSP (System Security Plan). The SSP includes detailed information about the organization’s networks, systems, procedures, policies, and security controls. Contractors have to have everything ready up until this point in order to accept and start work.

Version 2.0 was slimmed down from 5 levels down to 3.

Other changes in the new version of CMMC include:

  • Eliminate all maturity processes
  • Getting rid of Levels 2 & 4
  • Removing the 20 additional practices from Level 3

The DoD also brought back Plan of Actions and Milestones (POAM) for CMMC 2.0. In version 1.0 an organization had to have implemented every control before the audit began or they would fail. This change allows organizations to have not fully implemented all 110 controls and still pass an audit. This change is only for a certain number of controls, which have yet to be defined.

Some other points of emphasis are:
1. Only a Certified 3rd Party Assessment Organization (C3PAO) is authorized to grant CMMC certificates.
2. For those seeking Level 2, the DoD has not defined what constitutes critical CUI.
3. Expert Level 3 will be based on NIST SP 800-172, but it has not yet been developed.

The NIST 800-171 optional cybersecurity framework was created to protect CUI on the networks of subcontractors and third-party government contractors. A framework called CMMC, which will soon be required, is based on 800-171 and 800-172.

CMMC v 2.0 was released as a result of risk reduction efforts after self-attestation was unsuccessful. Businesses are urged to increase their cybersecurity efforts in advance while the Pentagon completes the new certifications and requirements.

The NIST 800-171 will serve as a bridge for those attempting to comply with the CMMC requirements. Start preparing now to avoid stress and pressure to comply at the last minute. Making a worthwhile start will require time, yet there is a wealth of material available.

Contact us today to see how the FirstCall Compliance Team can help you prepare for the C3PAO audits.

Published On: March 23rd, 2023 / Categories: CMMC / Tags: , , , , , , , , , , , /

Subscribe To Receive The Latest News

Looking to keep a finger on the pulse of SAP advancements? Subscribe to our FirstCall newsletter. It’s not just an update—it’s your insider access to SAP secrets, expert analyses, and the freshest trends. All thoughtfully curated and delivered to your inbox.