FedBiz'5

CMMC – Don’t Get Left Behind | Episode 35

Fedbiz Access Season 2 Episode 35

Cybersecurity Maturity Model Certification (“CMMC”) is a cybersecurity requirement that is coming down through the U.S. Department of Defense (“DoD”), and it will ultimately affect all suppliers throughout all the tiers in the supply chain for DoD contracts. 

In this episode we host Scott Dawson, President of Core Business Solutions, discussing the new cybersecurity requirements for large primes through small business subcontractors; anywhere that information is being exchanged or contracts are being put in place to support defense contracts. 

To safeguard sensitive national security information, the DoD launched CMMC as a three level set of practices to protect the defense industrial base’s sensitive information from frequent and increasingly complex cyberattacks. 

Federal Contract Information (“FCI”) is protected by CMMC Level 1 and Controlled Unclassified Information (“CUI”) is protected by CMMC Level 2. CMMC Level 3 exists to protect highly sensitive CUI. 

While companies should already have cybersecurity protections in place as a matter of good business practices, CMMC is a formal compliance process based on self-assessments (Level 1 and lower-priority Level 2), third-party assessments (higher-priority Level 2), and government assessments (Level 3). Without this certification, companies will be ineligible for work on DoD projects.

CMMC is a DoD requirement, but has not yet been integrated into contracts. However, companies should be aware that this will soon be part of the terms and conditions of all DoD and related contracts. In order to be awarded future contracts, companies will need to employ several information security solutions and put formal cybersecurity policies into place that drive action for their organizations and require technical and organizational upgrades.

The rapidly approaching deadline for implementation means that defense industry contractors and subcontractors can’t wait to get started. The formal CMMC regulations should be finalized by March 2023 with the requirements beginning to appear in contracts in May 2023. It is estimated this may impact as many as 300,000 companies doing business with the DoD.

The requirements for CMMC originate from the National Institute of Standards and Technology at the U.S. Department of Commerce, commonly referred to as “NIST.” NIST SP800-171 is a codification of the requirements that any non-federal computer system must follow in order to store, process, or transmit CUI or provide security protection for such systems.

Defense contractors must implement the recommended requirements contained in NIST SP 800-171 to demonstrate their provision of adequate security to protect CUI included in their defense contracts, as required by DFARS clause 252.204-7012. If a manufacturer is part of a DoD, General Services Administration (“GSA”), NASA or other federal or state agencies’ supply chain, the implementation of the security measures included in NIST SP 800-171 is required.

👉🏽 CLICK HERE TO CONTINUE READING👈🏽

Stay Connected:

CMMC – Don’t Get Left Behind

Jesse Sherr  00:02

My name is Jesse, and I work with small businesses in the government marketplace.

Jesse Sherr  00:06

You're listening to FedBiz'5, where you get informed, get connected, and get results on everything government contracting. 

Jesse Sherr  00:15

Hello, and welcome to another episode of FedBiz'5. Today we have Scott Dawson with Core Business Solutions, and he's here to talk about Cybersecurity Maturity Model Certification, aka CMMC, and how it applies to you. 

Jesse Sherr  00:29

Welcome Scott.

Scott Dawson  00:30

Well, thank you Jesse. Glad to be here.

Jesse Sherr  00:32

Happy to have you. So, let's just jump right in. What is CMMC, and who does it apply to?

Scott Dawson  00:38

Yes, great question. CMMC is a cybersecurity requirement that is coming down through the Department of Defense, and it will ultimately affect all suppliers throughout all the tiers in the supply chain for DOD contracts. From the primes through subs, anywhere that information is being exchanged or contracts are being put in place to support a defense contract, it will apply to those organizations. 

Scott Dawson  01:08

So, companies will have to implement necessary cybersecurity protections, and then there will be an assessment. A little bit like an ISO audit, if people are familiar with that. And then once a company passes the assessment, the certificate is then issued. So that would then put them in compliance with CMMC.

Jesse Sherr  01:08

Okay, great. So, it's really just revolving around DOD. Is that right? 

Scott Dawson  01:22

Yes, that's correct. 

Jesse Sherr  01:28

Okay.

Scott Dawson  01:31

Yes, it's a DOD requirement. It has not yet hit contracts, but currently companies should be watching the terms in their contracts to see when this is going to be applicable.

Jesse Sherr  01:46

Okay, great. So I appreciate that explanation. So, what does it require, and what should companies be doing now?

Scott Dawson  01:53

Yes, great question. So, the requirements for CMMC come out of a NIST standard (National Institute of Standards and Technology at the U.S. Department of Commerce) called NIST SP 800-171, and that is a list of cybersecurity protections. There are 120 of them, they're called practices, and companies can begin becoming familiarized with those requirements. 

Scott Dawson  02:15

One other thing to note is that as of the end of 2020, I believe, there was a preliminary requirement for companies to do a self-assessment, determine a score of their assessment, and submit that to the Department of Defense in a database called SPuRS, which is the Supplier Performance Rating System. 

Scott Dawson  02:15

They should probably go through and do a self-assessment to see where they stand. You know, whether or not they have some of the requirements already in place or not, and then start working through preparing. 

Scott Dawson  02:48

That's the system that keeps track of all suppliers' performance, past performance in contracts, and quality scores. And there's now a cybersecurity score requirement. So, if a company has not submitted their score, to even today they're not eligible for a defense contract.

Jesse Sherr  03:04

Oh, okay. Well, thank you for that. I appreciate all that extra information. 

Jesse Sherr  03:08

So my last question is, when will it become effective? 

Scott Dawson  03:12

Yes, that is the process that they're working to right now is called rulemaking. So, that's the government speak for creating regulations. And that rulemaking process, which is basically finalizing and getting approvals should conclude by March of 2023, and then the requirement will start to appear in contracts in May of 2023. At least that's the current announced schedule.

Scott Dawson  03:40

They've missed the schedule a few times, so I wouldn't be surprised. But once they start to implement through various contracts, it will take years for it to go through all defense contracts. There are around 300,000 companies that do work with the Department of Defense in the U.S. 

Jesse Sherr  03:46

And that's just with the DOD?

Scott Dawson  03:58

That's just with the DOD, and they will all have to get certified eventually. So, there's no way it could all happen at the same time. So, it will be phased in over a period of years. 

Jesse Sherr  04:09

Scott, thank you so much for explaining this, and I believe our listeners definitely got something out of this. Well, one more question. I know I said that was the last one. But do you have any advice to give now for people that may be interested in trying to get involved into this?

Scott Dawson  04:24

Well yes, I think it's important that companies get training in the requirements. Most small businesses don't have a depth of IT resources or cybersecurity experts at their disposal. And oftentimes reaching out to a firm like Core Business Solutions, that can assist with doing assessments and helping with preparation, can really make all the difference.

Jesse Sherr  04:45

Well, thank you so much for that once again, and I appreciate you taking the time to coming on to help us understand this a little bit more.

Scott Dawson  04:52

Thank you so much, Jesse. Appreciate it.

Jesse Sherr  04:54

You got it. Take care. 

Jesse Sherr  04:56

This concludes this week's episode of FedBiz'5, where you get informed, get connected and get results. 

Jesse Sherr  05:07

Today's podcast is sponsored by FedBiz Access, government contracting made simple.

Jesse Sherr  05:12

Visit them at FedBizAccess.com or contact them at 888-299-4498.