CMMC 2.0 For Florida DoD Contractors
Defense contracting plays a massive role in Florida’s local and state economies. Defense procurement is estimated to be nearly $17 billion annually; statewide. Furthermore, the military and defense presence in the sunshine state generates an additional $90+ billion each year. That annual revenue helps provide a healthy economy for the state’s residents and local businesses.
The Department of Defense continues moving forward with stricter compliance regulations and updates to safeguard the United States’ sensitive national security information. That brings us to Cybersecurity Maturity Model Certification (CMMC) 2.0 changes every Florida DoD contractor needs to know to remain compliant.
Not meeting the newest requirements outlined in section 252.204-7012 of DFARS, a contractor may lose their eligibility to continue providing goods and services to the Department of Defense. All defense contractors must now take the required updated steps to ensure their networks are compliant.
What Is The DoD CMMC Program?
That program’s design addressed increased cyber risk in the Defense Industrial Base (DIB) due to the loss of Controlled Unclassified Information (CUI). Initially, the CMMC framework focused on standardizing cybersecurity grade levels to increase security for CUI and across the DIB.
The primary goal of the documentation was to point out what was considered necessary levels of cybersecurity processes and practices. The sole purpose was to protect controlled unclassified information and federal contact information.
In 2019, private defense contractors were notified, by the Department of Defense, that CMMC 1.0 framework was getting released in January 2020. That mandate required all contractors to adopt cybersecurity standards based on the framework found in NIST SP 800-171.
What Were The CMMC 1.0 Models?
Under the previous version of the Cybersecurity Maturity Model Certification, there were five levels; Basic, Intermediate, Good, Proactive, and Advanced. Each level had or did not have a set number of practices, processes, and assessments to complete and provide.
- Level 1 – Basic had seventeen practices, no processes, and required a third-party assessment.
- Level 2 – Intermediate had seventy-two practices, two processes, and no assessment required.
- Level 3 – Good had one hundred thirty practices and three processes and required a third-party assessment.
- Level 4 – Proactive had one hundred fifty-six practices, four processes, and no assessment required.
- Level 5 – Advanced had one hundred seventy-one practices and five processes and required a third-party assessment.
It needs noting that levels 2 and 4 were considered “Transition Levels,” and third-party assessments were not required. The remaining levels have been updated to meet the latest Cybersecurity Maturity Model Certification version and are listed below.
What Are The CMMC 2.0 Models?
The new CMMC 2.0 version models take compliance to a higher level. The latest levels are based on the different types of information Defense Industrial Base companies handle. It also lowers the number of levels required. For example, levels 2 and 4 from CMMC 1.0 were eliminated. Even though there are only three levels, Foundational, Advanced, and Expert, the practices are more defined, and the assessments are stricter.
- Level 1 – Foundational has seventeen practices and a required annual self-assessment.
- Level 2 – Advanced has one hundred ten practices that must align with NIST SP 800-171 Revision 2. Must have triannual third-party assessments for critical national security information and an annual self-assessment for selected programs.
- Level 3 – Expert has one hundred ten practices based on NIST SP 800-171, a subset of SP 800-172 controls, and triannual government-led assessments.
Under the CMMC 2.0 requirements, an organization must have a minimum number of controls for each level. Another condition is that any DoD contractor must submit to a third-party assessor organization to verify their compliance.
Which Florida DoD Contractors Must Have CMMC Certification?
Every Florida DoD contractor must conduct a yearly self-assessment and third-party assessment every three years. It also needs mentioning that depending on the type of information a Defense Industrial Base company accesses will determine when an examination is required. Sometimes, the contractor may be required to submit to frequent third-party assessments.
When a department of defense contractor seeks Level 1 Foundational requirements, they are not required to have a third-party certification. They must state which facilities, people, technology, and external providers are processing, transmitting, or storing federal contact information on their behalf. Also, based on the 52.204.21 FAR clause, it requires self-certifying annually.
Should the Florida contractor want Level 2 Advanced status, The DoD does require third-party assessments every three years. Those who perform this type of assessment must be accredited CMMC Third Party Assessment Organizations (C3PAOs) or certified CMMC Assessors.
Contractors needing Level 3 Expert compliance are subject to security requirements. Those specifications are in NIST SP 800-171, and inside SP 800-172, there are subsets the contractor must follow. Once the DoD determines level 3 compliance assessments, the organization will receive a notification. Also, expect to submit to a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) audit for compliance requirements.
Are You A Florida DoD Contractor Needing CMMC 2.0 Help?
Enforcement is active and ongoing regarding federal cybersecurity regulations. CMMC 2.0 updated cybersecurity standards are evident for Florida DoD contractors. Without the latest requirements implemented in your organization, you could jeopardize any future contracts you seek.
GiaSpace offers comprehensive system audits to identify gaps and bring your organization one step closer to compliance. We know what you need and how to help you prepare for Levels 1, 2, or 3 CMMC 2.0 compliance. Contact us for a consultation or call us at (954) 255-1757.