In September 2020, the Department of Defense (DoD) published an interim rule to the Defense Federal Acquisitions Regulations Supplement (DFARS) in the Federal Register, which implemented the DoD's initial vision for the Cybersecurity Maturity Model Certification (CMMC) program (CMMC 1.0) and outlined the framework's basic features. The framework consists of a tiered model, required assessments, and implementation through contracts. This interim rule went into effect on November 30, 2020, establishing a five-year phase-in period for organizations that need to comply.
In March 2021, the DoD initiated an internal review of CMMC's implementation, informed by more than 850 public comments about the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within the DoD to refine policy and program implementation. In November 2021, the DoD announced that CMMC 2.0 is an updated program structure and the high-level requirements designed to achieve the primary goals of the internal review are as follows:
The transition from CMMC 1.0 to CMMC 2.0 comes with substantial changes to the original model based on feedback from the public and careful consideration by the DoD. The following changes include:
These changes to CMMC impact any organization that conducts business as part of the DoD supply chain, including Prime contractors to subcontractors within the DIB. Any organization that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of awarded contracts will be required to comply in some capacity, depending on the contract requirements. The exception to this rule is that if organizations supply Commercial-off-the-Shelf (COTS) products and do not handle FCI/CUI, they will not be required to meet CMMC requirements.
According to the DOD, the timeline for rulemaking and the rollout of CMMC 2.0 will take an estimated 9-24 months. Once the CMMC 2.0 rollout occurs, the DFARS 252.204-7021 clause will begin supporting CMMC by stating that all solicitations, task orders, contracts, etc., include CMMC requirements by October 1, 2025.
DFARS 252.204-7019 clause (NIST 800-171) has been in place since 2016. Although businesses could meet the compliance requirement with self-attestation, CMMC was developed to ensure that Organizations Seeking Certification (OSC) are held accountable for demonstrating that they are following the security requirements and best practices—not just stating that they are compliant.
Organizations that are not compliant and have not been assessed may have significant impact on existing government contracts or their ability to be awarded new contracts. The impact to contracts will determine whether or not an OSC can do business with the government.
Based on the DFARS 252.204-7019 clause, if you are a contractor within the DIB and required to meet compliance for the handling of FCI/CUI, your organization will need to meet many of the same security requirements as codified in CMMC 2.0 today.
CMMC 2.0 adds a third-party audit and certification for ML2 and ML3 in place of the existing self-attestation that suffices today. To provide evidence that your organization has met compliance, you should already have established an Information Security Program, developed a System Security Plan (SSP), developed and maintain a Plan of Action & Milestones (POA&M), conducted a self-assessment of your program against NIST 800-171, and submitted a Supplier Performance Risk System (SPRS) score to the DoD.
As an OSC, if your program does not meet the requirements, this is the time to align with the upcoming CMMC 2.0 rollout. Within the DIB, CMMC 2.0 will enforce a more rigorous level of accountability.
Coretek is a Registered Provider Organization (CMMC-RPO) with extensive experience helping organizations with strict security and compliance requirements, especially those in the DIB. Coretek provides security and compliance assessments, security policies, remediation of audit findings, secure migration to government-approved cloud and applications services, and supports customers with technology and security managed services utilizing screened US-based resources. Based on our long-standing industry experience supporting DIB customers, we understand what must be accomplished within your organization to support the mission. Therefore, it is critical to partner with an organization that knows the requirements and can assess and communicate what is necessary, why it is necessary, and how to accomplish the tasks, is critical. If you have questions about CMMC use the button below to get in touch with our security team below.