What DoD Contractors Need to Know About the CMMC Rollout

The Cybersecurity Maturity Model Certification, known as CMMC, is the new cybersecurity protocol that is being put in place for Department of Defense (DoD) contractors. It has been launched at the beginning of 2020, however, it is still very much in the process of getting rolled out, so there are a number of updates that are being made, and changes along the way. 

DoD contractors will need to keep on top of the changes and updates that relate to CMMC, as well as DFARS compliance. The reason being is that if contractors want to stay eligible for particular contracts and be compliant with cybersecurity regulations, then being up-to-date with it all is a must.

The Basic Structure of CMMC

There are five levels that have been outlined as part of CMMC. The level that will be assessed for an organization depends on the kind of information that they handle. Some may need to earn a higher level, depending on the kind of tasks that they undertake. 

Organizations will be assessed by C3PAOs in order to become certified at a certain level of maturity. The regulations will build on existing NIST and DFARS standards, so being up to date on these areas is important.

The Interim Rule

More recently in the roll-out, the Interim Rule was announced in order to supplement current DFARS regulations; but what does it mean? The reason for the Interim Rule is to increase the DoD contractor security, in-line with existing DFARS requirements, all while the CMMC implementation is still being rolled out and developed. 

The Interim Rule will make sure that any DFARS requirements are being adhered to, enabling a DoD Assessment Methodology, alongside a Cybersecurity Maturity Model Certification framework.

There are a number of considerations with the new interim rule, but there are five main points that will impact contractors the most. These are summarized as:

  • Any new requirements will start to come into place from the beginning of December 2020, and this is for contractors that are subject to DFARS 252.204-7012 clause, which is all about the handling of Controlled Unclassified Information (CUI).
  • Any contractor that deals with CUI will have to complete a self-assessment with new scoring, and then update that in the SPRS (supplier performance risk system), in order to win contracts.
  • This self-assessment should also involve completing a security plan, which looks at how things are with their network, and assess the plan to achieve compliance with NIST 800-171 regulations.
  • Contractors will need to pass down these requirements to their entire team, in order to deal with handling CUI well.
  • There will be audits, done at random, to make sure that contractors have completed self-assessment, but have also scored it accurately.

Next Steps

Right now, one of the most important things for contractors, is to make sure that they are getting up to date with any Interim Rule requirements, through a scored self-assessment. The process is ongoing, so keeping up to date with all of the changes, through some regular assessments is a must. 

Ensuring a business meets the compliance standards can be a challenge, which is why it’s valuable to work with a Managed Service Provider. They will know all about the requirements and regulations, and stay up to date on any changes. So it’s easy to stay compliant.