As a defense contractor, you’re likely aware of the increasing emphasis on cybersecurity. The Department of Defense (DoD) is committed to safeguarding sensitive information, and the Cybersecurity Maturity Model Certification (CMMC) program is a key part of that effort. If you’re a mid-sized contractor, understanding and implementing CMMC Level 2 is crucial for maintaining and growing your business with the government. This blog post will guide you through what you need to know about CMMC Level 2, how to approach it, and ways to streamline your compliance efforts.

Understanding CMMC Level 2

CMMC Level 2 focuses on protecting Controlled Unclassified Information (CUI). This is a step up from Level 1, which deals with Federal Contract Information (FCI). Level 2 requires defense contractors to implement a set of cybersecurity best practices.

Here are some key points about CMMC Level 2:

• NIST SP 800-171 R2: Level 2 compliance means adhering to the 110 security requirements outlined in NIST Special Publication (SP) 800-171 R2.
• DFARS Clause 252.204-7012: These requirements are already mandated if you have a contract with the DFARS 252.204-7012 clause.
• Assessment Types: CMMC Level 2 compliance can be achieved either through a self-assessment or a certification assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO). Your contract will specify which assessment type is required.
• Annual Affirmation: Regardless of the assessment type, you must affirm your continued compliance annually to maintain your CMMC status. This affirmation is submitted to the Supplier Performance Risk System (SPRS).
• Scoring: The CMMC scoring methodology involves deducting points for unmet security requirements, where those points are weighted based on the potential impact of the deficiency. Each assessment objective must be MET or NOT APPLICABLE for a security requirement to be considered MET.
• Plan of Action and Milestones (POA&Ms): If your assessment reveals deficiencies, you’ll need to create a POA&M and remediate the issues within 180 days.
• Validity: A CMMC Level 2 certification is valid for three years.
• Scope: The scope of a CMMC assessment must be equal to the scope of the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment. When implementing the CMMC model, an organization can achieve a specific CMMC level for its entire enterprise network or for a particular enclave(s), depending on where the information to be protected is handled and stored.

A Step-by-Step Approach to CMMC Level 2 Compliance

Complying with CMMC Level 2 might seem daunting, but by taking a structured approach, you can navigate this process effectively:

1. Conduct a Self-Assessment: Begin with a thorough self-assessment of your systems against the NIST SP 800-171 R2 requirements. This will help you identify any gaps in your current security posture. NIST SP 800-171A provides the assessment procedures and methodology for conducting these self-assessments.
2. Understand DFARS Clauses: Make sure you understand DFARS clause 252.204-7012 and how it relates to your cybersecurity obligations. You should also familiarize yourself with 252.204-7021 when it becomes effective.
3. Determine Assessment Type: Review your contracts to determine whether a self-assessment or a C3PAO certification assessment is required. The DoD will specify the required CMMC level and assessment type in the solicitation.
4. Select a C3PAO (If Necessary): If a certification assessment is required, choose an authorized C3PAO from the CMMC Accreditation Body (AB) Marketplace.
5. Address Deficiencies: Implement corrective actions to address the gaps found during the self-assessment or by the C3PAO, and create a POA&M if needed. The POA&M must be closed out within 180 days.
6. Submit Results and Affirmations: Ensure that all assessment results, artifacts, and annual affirmations are submitted to SPRS. If you use a C3PAO, they will upload results to the CMMC instantiation of eMASS which will then feed information into SPRS.
7. Understand the Scope: Accurately define the scope of your CMMC assessment based on where FCI and CUI is processed, stored, and transmitted, as well as by assets.
8. Temporary Deficiencies: Temporary vulnerabilities and deficiencies that are appropriately addressed in operational plans of action, with progress towards correction, can be assessed as MET.
9. Not Applicable: When a security requirement is marked as Not Applicable (N/A) it is equivalent to being marked as MET.

Streamlining Compliance for the Future

Complying with CMMC doesn’t have to be an ongoing burden. Here are ways you can streamline your compliance efforts moving forward:

• Leverage Cloud Service Providers (CSPs): Consider using FedRAMP authorized CSPs to handle CUI, reducing the need to manage your own infrastructure and its security. If using a FedRAMP authorized CSP (at the FedRAMP Moderate or higher baseline), you are not responsible for the CSP’s compliance but need to document in your System Security Plan (SSP) how you meet your requirements assigned in the CSP’s Customer Responsibility Matrix (CRM).
• Maintain a Comprehensive System Security Plan (SSP): Develop and regularly update your SSP to document how you meet each security requirement. This will make future assessments more efficient. The SSP should detail the policies and procedures that support how security requirements are implemented for all NIST SP 800-171 R2 controls.
• Engage External Service Providers (ESPs): For some companies, working with ESPs may simplify the management of security-related data and CUI.
• Consider Enclaves: You may choose to segment your corporate information systems into enclaves, each with specific security requirements, if appropriate. The DoD does not provide specific instructions for configuring enclaves, as this should be tailored to your organization.
• Proactive Planning: Since the self-assessment process is controlled by your business, proactive planning and internal process will help to ensure assessments are completed well in advance of contract requirements.
• Regular Internal Audits: Conduct regular internal audits to ensure continuous compliance and make adjustments as necessary.
• Stay Informed: Keep up with any changes to the CMMC program, NIST standards, and other relevant guidance.
• Annual Affirmation: Make sure you complete your annual affirmation to maintain compliance.

Additional Points to Consider

• Subcontractor Requirements: CMMC requirements flow down to subcontractors. If a prime contract specifies a Level 2 certification assessment, all subcontractors who process, store, or transmit CUI related to that contract will need to obtain a CMMC Level 2 certification assessment at a minimum.
• Cost Management: CMMC implementation and assessment costs will vary based on the complexity of your network, your CMMC level, and market conditions. The DoD provides no-cost Cybersecurity-as-a-Service resources to assist with compliance. Costs incurred to meet existing contract requirements for safeguarding information are not part of CMMC implementation costs.
• Phased Implementation: CMMC will be implemented in four phases over three years, starting with self-assessments and moving to certification assessments. Phase 1 will begin 60 days after the 48 CFR CMMC Acquisition rule is published as final in the Federal Register. The DoD may implement CMMC requirements in advance of the planned phase and may also include CMMC requirements on contracts awarded prior to the 48 CFR part 204 CMMC Acquisition rule becoming effective, but doing so will require bilateral contract modification after negotiations.
• Pre-Award Requirement: CMMC is a pre-award requirement. You must meet the required CMMC level by the time of contract award and maintain your assessment status through contract performance.
• No Partial Exemption: CMMC applies to all DoD contractors who handle FCI or CUI, and there are no partial exemptions for foreign contractors.
• CMMC and CUI: CMMC levels do not correspond to CUI levels. The CMMC program does not change the CUI Program or existing DoD policies for information security requirements.

Helpful Resources:

CMMC FAQs
https://dodcio.defense.gov/CMMC/Model/

Conclusion

The CMMC program is designed to protect sensitive information and ensure a more secure defense industrial base. While it represents a significant change to cybersecurity requirements, by understanding the requirements, taking a proactive approach, and focusing on continuous improvement, you can navigate CMMC Level 2 compliance effectively, and maintain your eligibility for DoD contracts. By taking the steps outlined in this post, you can effectively manage your CMMC Level 2 compliance, protect sensitive information, and remain competitive in the defense contracting market.