Bluestreak™ Reading Time: 6 minutes
Department of Defense Issues CMMC 2.0 Proposed Rule
On December 26, 2023, the much-awaited proposed rule meant to codify the Cybersecurity Maturity Model Certification (CMMC) 2.0 process was released for public comment.
The proposed rule aligns with changes already planned by the Department of Defense (DOD) contracting community. As anticipated, CMMC 2.0 employs three levels of maturity to enforce security measures for handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), following guidelines from NIST SP 800-171 Rev 2 and NIST SP 800-172. This includes documenting outstanding requirements in the Plan of Action and Milestones (POA&Ms), along with maintaining a current System Security Plan (SSP).
Businesses and organizations in the DOD supply chain must act quickly to get ready for the rollout of CMMC 2.0. Ignoring or failing to comply with its requirements could severely affect your present and future prospects. If your company plans to maintain defense-related contracts, achieving NIST SP 800-171 compliance and CMMC 2.0 certification will become mandatory soon. Becoming compliant is neither fast nor easy. The clock is ticking so take action now.
Level 1 – Foundational cyber hygiene
The most basic level of security, Level 1, requires implementing basic cybersecurity hygiene practices such as password management and keeping systems up to date with patches. This level is intended for small businesses with minimal risk to their data.
Level 1 is based on 17 controls found in FAR 52.204-21 and NIST SP 800-171. It serves as a great starting point for businesses either initiating their cybersecurity efforts or operating with limited resources.
Companies handling FCI need to obtain a Level 1 certification. However, these organizations aren’t classified as part of the critical infrastructure, which includes most businesses and government agencies. This level is NOT for companies handling CUI.
Level 2 – Advanced cyber hygiene
Level 2 builds on the cybersecurity hygiene practices of Level 1 and mandates additional measures. Like NIST SP 800-171, Level 2 includes 110 controls, covering areas such as access control, incident response, risk management, physical security, and system and information integrity.
Level 2 certification is required for companies handling CUI on behalf of the DOD or DOD Prime contractors, particularly those considered part of critical infrastructure. This includes companies operating in the defense, energy, water, communications, and transportation sectors.
Level 3 – Expert cyber hygiene
Level 3 is the highest tier of CMMC certification and requires the most stringent security measures. Based on NIST SP 800-171, Level 3 adds additional practices from NIST SP 800-172. These extra practices focus on advanced detection and response capabilities, information protection, and enhanced system “hardening” requirements.
Level 3 certification is mandatory for the same categories of companies that require Level 2 certification but also handle CUI in the most sensitive or higher security assurance levels of DOD contracts. Organizations subject to CMMC Level 3 certification need to be assessed by the Federal Government’s Defense Contract Management Agency (DCMA). Details regarding the assessment process for Level 3 are currently being developed and finalized.
CMMC 2.0 is an enhanced version of the CMMC framework developed by the DOD to improve the cybersecurity posture of defense contractors and their supply chain. Companies should be very concerned about CMMC 2.0 for several reasons, especially if they haven’t started the process.
Contractual requirement: Defense contracts will require compliance with CMMC 2.0. If DOD contractors or subcontractors want to participate in DOD-related contracts, they’ll need to adhere to the cybersecurity standards outlined in CMMC 2.0.
Supply chain impact: CMMC 2.0 applies to prime contractors AND subcontractors and suppliers within the defense industrial base (DIB). Companies within the DOD supply chain will be required to meet specific cybersecurity maturity levels to ensure the overall security of the defense ecosystem.
Increased security standards: CMMC 2.0 introduces higher cybersecurity standards and maturity levels compared to its predecessor. Companies need to assess and enhance their cybersecurity measures to meet the specified requirements, which may involve investments in technology, processes, and training.
Data protection and confidentiality: Companies often handle sensitive information related to defense contracts, including designs, specifications, and other proprietary data. CMMC 2.0 emphasizes the protection of CUI is crucial, and companies must implement measures to safeguard this information.
Competitive advantage: Being CMMC certified provides a distinct competitive advantage for companies. It demonstrates a commitment to cybersecurity and can enhance the trust and confidence of the DOD and its prime contractors, as well as other key customers.
Continuous monitoring and improvement: CMMC isn’t a one-time certification but requires continuous monitoring and improvement. Companies must establish enhanced cybersecurity practices and maintain them through time to stay compliant and keep their certification.
Potential impact on business operations: Not being certified to CMMC 2.0 could lead to disqualification from defense-related contracts. Companies may face business disruptions and loss of opportunities if they fail to meet the cybersecurity requirements set by the DOD.
How to get started
Because CMMC 2.0 is not yet fully released and it draws from the security requirements outlined in NIST SP 800-171 Rev. 2, companies should already be NIST SP 800-171 compliant. NIST SP 800-171 Rev. 2 and CMMC 2.0 present significant challenges, requiring a substantial effort and cost, the timeline for achieving compliance can range between 12 to 24 months, with most businesses going for a Level 2 certification.
The DOD is planning to use a four-phased rollout to release CMMC 2.0 implementation:
Phase 1 (0-6 months): Begins on the effective date of the CMMC revision to DFARS 252.204-7021. DOD intends to include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment for all applicable DOD solicitations and contracts as a condition of contract award. DOD may, at its discretion, include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment for applicable DOD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date. DOD may also, at its discretion, include CMMC Level 2 Certification Assessment in place of CMMC Level 2 Self-Assessment for applicable DOD solicitations and contracts.
Phase 2 (6-18 months): Begins six months following the start date of Phase 1. In addition to Phase 1 requirements, DOD intends to include CMMC Level 2 Certification Assessment all for applicable DOD solicitations and contracts as a condition of contract award. DOD may, at its discretion, delay the inclusion of CMMC Level 2 Certification Assessment to an option period instead of as a condition of contract award. DOD may also, at its discretion, include CMMC Level 3 Certification Assessment for applicable DOD solicitations and contracts.
Phase 3 (18-30 months): Begins one calendar year following the start date of Phase 2. In addition to Phase 1 and 2 requirements, DOD intends to include CMMC Level 2 Certification Assessment for all applicable DOD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded before the effective date. DOD intends to include CMMC Level 3 Certification Assessment for all applicable DOD solicitations and contracts as a condition of contract award. DOD may, at its discretion, delay the inclusion of CMMC Level 3 Certification Assessment to an option period instead of as a condition of contract award.
Phase 4 (30+ months): Begins one calendar year following the start date of Phase 3. DOD will include CMMC Program requirements in all applicable DOD solicitations and contracts including option periods on contracts awarded before the beginning of Phase 4.
About the Author
Joe Coleman is the Cyber Security Officer for Bluestreak Consulting™, which is a division of Throughput | Bluestreak | Bright AM™. Joe is a Certified CMMC-RPA (Registered Practitioner Advanced).
Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, DFARS, NIST SP 800-171, and CMMC, a career as a machinist, machining manager, early additive manufacturing (AM) pioneer, and production control/quality management software implementer/instructor.
Contact Joe Coleman at joe.coleman@go-throughput.com or at 513-900-7934 for any questions and a free consultation, with a complimentary detailed compliance eBook.
About Bluestreak™:
Bluestreak™ is a powerful Manufacturing Execution System (MES) and a fully integrated Quality Management System (QMS), designed for the manufacturing environment and service-based manufacturing companies ( metal-treating/powder-coating, plating, heat-treating, forging, and metal-finishing), businesses that receive customers’ parts, perform a process (service) on them, and send those parts back to the customer). Companies need MES software tailored to specific functionality and workflow needs such as industry-specific specifications management, intuitive scheduling control for staff and machinery maintenance, and the ability to manage work orders and track real-time data. If different work centers on the production floor aren’t “speaking” to each other via the MES, the data loses value and becomes disjointed or lost in disparate silos.
Bluestreak | Bright AM™ is an MES + QMS software solution specifically designed to manage and optimize the unique requirements of Additive Manufacturing’s production of parts and powder inventory usage.