Since 2017 the DoD has been stuck between a rock and a hard place. With the vast number of DoD contractors, diverse IT infrastructure, and continuously evolving IT environment the DoD how do you ensure that you are truly secure? Unfortunately, the DoD has been forced to rely on contractors to self-attest, perform POA&Ms, and haven’t had anywhere near enough bandwidth to audit each contractor to make sure they are truly compliant with all 110 requirements of the framework. That changes this year with the implementation of the DoD’s new CMMC requirement.
Basic CMMC Compliance begins with 110
Starting November 30, 2020, all contractors and their subs will need to have a score representing their NIST 800-171 progress ranked from level 1 through level 5 published in a federal database before contract award. Plus, the score needs to be accompanied by the date in which all requirements are being implemented and screenshots showing compliance. This is the first step in a long road to securing our nation’s cyber infrastructure.
Right now, the DoD is using a vendor report card maintained in the Supplier Performance Risk System (SPRS) to determine compliance. This system will provide the DoD a snapshot of the contractor’s IT environment and allow them to “verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Assessment, at any level, on record prior to contract award.”.
This “assessment” refers to the score generated by performing a review of your NIST 800-171 implementation as documented in your System Security Plan. “The NIST SP 800-171 DoD Assessment Methodology provides for the assessment of a contractor’s implementation of NIST SP 800-171 security requirements, as required by DFARS clause 252.204-7012.”
One important note before you can begin your CMMC compliance, you absolutely need to have a System Security Plan in place before you perform this assessment. It’s a mandatory requirement in the NIST 800-171, the regulation behind the compliance. In fact, without one, you are immediately deemed non-compliant! “The absence of a system security plan would result in a finding that an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.” – NIST SP 800-171 Assessment Methodology Version 1.2.1 Annex A Comment 3.12.4
You don’t want to get caught lying about this. As a representative of the Government you now have the whole False Claims Act thing to deal with. Luckily, if you still need an SSP, GiaSpace can help!
The Levels of CMMC Compliance
There are multiple levels of compliance. For now, the Government is mostly requiring CMMC level 1 for all of their contractors in the Process and Practice realms. However, different or future contracts may require different levels of CMMC compliance. It’s important to remember that in order to reach a specific level of compliance, you need to meet the level for both Process and Practice.
CMMC Level 1
Level 1 requires that an organization performs the specified practices. Because the organization may be able to perform these practices only in an ad-hoc manner and may or may not rely on documentation, process maturity is not assessed for Level 1.
Practices: Basic Cyber Hygiene
Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21.
CMMC Level 2
Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and practicing them as documented.
Practices: Intermediate Cyber Hygiene
Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST SP 800-171 as well as practices from other standards and references. Because this level is a transitional stage, a subset of the practices reference the protection of CUI.
CMMC Level 3
Level 3 requires that an organization establish, maintain and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
Practices: Good Cyber Hygiene
Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices to mitigate threats. Note that DFARS clause 252.204-7012 applies, and specifies additional requirements beyond NIST SP 800-171 security requirements such as incident reporting.
CMMC Level 4
Level 4 requires that an organization review and measure practices for effectiveness. In addition, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques and procedures (TTPs) used by APTs.
CMMC Level 5
Level 5 requires an organization to standardize and optimize process implementation across the entire organization.
Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.
It’s important to remember that each level is cumulative. For example, in order to reach CMMC level 3 you must show that you have successfully reached CMMC levels 1 and 2 and it must be reached on both the Practice and Process realms.
You also need to remember that this needs to flow down through all of your subcontractors! Now this doesn’t mean that if you have a CMMC level 5 certification that all of your subcontractors will need to have the same level certification, but it does mean that each of your subcontractors will be required to at least maintain a level 1 certification.
Getting Ready for CMMC
With the new CMMC framework, the DoD is working to level the cyber battlefield and keep ahead of cyberattacks that threaten the effectiveness of the U.S. military. CMMC is fast-tracked to be implemented in 2021 and fully implemented by 2025 across all contracts. We can help you prepare for CMMC compliance! GiaSpace offers comprehensive systems audits to identify gaps in your SSP and bring you one step closer to compliance. Contact us today for a consultation!
As the Fox-affiliate TV station for South Florida, we depend heavily on our IT infrastructure to deliver high quality television to our viewers. We have worked with GiaSpace in a variety of IT capacities since 2008, and they have never let us down. They are our go to team for product procurement and special projects.- Patrick M. WSVN, Miami
GiaSpace is a fabulous company to do business. Patrick is extremely knowledgeable and very quick to respond to any issues/concerns/questions. Thank you for your outstanding work.- Lucila L. Town of Lauderdale-by-the-Sea, Fort Lauderdale
Excellent service and communication - great deal of knowledge- Rossie C. ECI Pharmaceuticals, Fort Lauderdale
The GiaSpace team is quick to respond and has gone above and beyond to resolve our technical issues.- Carlos U. Alternative Home Healthcare, Fort Lauderdale
The response was very quick and my issue was resolved right away.- Katherine G. Medtrust LLC, San Antonio