The Department of Defense (DoD) recently intended to simplify the requirements and ease the compliance burden on contractors. Unlike its predecessor, the moves to three compliance levels rather than five; aligns the required security controls (known as practices) with National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 and 800-172; and eliminates entirely previously required maturity processes. The changes also include a shift to self-assessments for all but contractors supporting the most sensitive programs, as well as the return of Plans of Action and Milestones (POAMs) to demonstrate compliance and achieve certification.
The new requirements are summarized below:
CMMC Level 1, Foundational
- Contractors must implement the 17 controls from NIST SP 800-171 enumerated in FAR 52.204-21 and submit an annual self-assessment to the DoD through the Supplier Performance Risk System (SPRS).
CMMC Level 2, Advanced
- Contractors must implement the 110 controls in NIST SP 800-171 and submit an annual self-assessment or, if required to handle (as yet undefined) critical national security information, a triennial independent assessment performed by a CMMC Third Party Assessment Organization (C3PAO).
CMMC Level 3, Expert
- Contractors must implement the 110 controls in NIST SP 800-171 and a subset of controls from NIST SP 800-172 before undergoing a triennial government-led assessment. The DoD, however, is still in the process of developing the requirements for this Level.
What do I do now?
You are STILL responsible for implementing the basic cybersecurity requirements in if you have Federal Contract Information.
You are STILL responsible for implementing the cybersecurity requirements in NIST SP 800-171 if you handle CUI.
- But wait, you say, they won’t audit me, so I don’t need to… right? Wrong. The government is making a solid foundation for prosecuting contractors under the False Claims Act by bringing requirements back to baseline. They are requiring high level executives in the organization to personally attest to performing cybersecurity. And they are removing the phased rollout.
- This all means that if your company is lax on cybersecurity, the government can pursue a false claims case against you. This could come to the government’s attention due to one of your employees making a complaint. This is known as a qui tam lawsuit and is designed to give the whistleblower a portion of the penalty.
- It also means that if the government wants to, they can decide your contract needs independent assessment without any warning, because “You said you were compliant”.
“The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking.”
- CMMC 2.0 will be implemented through the rulemaking process, which the DoD estimates could take anywhere from nine months to two years. Thereafter, the DoD will begin to incorporate CMMC 2.0 requirements into contracts. In the meantime, the DoD has suspended its CMMC pilot program and will not approve the inclusion of CMMC requirements in any forthcoming DoD solicitations.
- Now is the time to take the necessary steps to demonstrate your organization is committed to protecting your company and our national security. Use 2021 to update your POA&M, SSP, and submit a self-assessment to the SPRS to meet the current DFARS/FAR requirements.
Did I waste money pursuing CMMC requirements?
Not at all – you likely have made a lot of progress toward meeting the NIST 800-171 requirements that are the foundation of CMMC/DFARS.
The System Security Plan (SSP) and Plan of Action & Milestone (POAM) that was created during your assessmentwill become the foundation and a critical part of your compliance moving forward.
What can Simpatico Systems do to assist you?
For more information on CMMC 2.0 requirements, assessments, or any aspect of the process in general, please reach out to Simpatico Systems with your questions and concerns and we will help guide you through the process.
Simpatico is a CMMC RPO (Registered Practitioner Organization), we have established partnerships with various provisional C3PAOs, such as CoalFire Federal and key members in the CMMC ecosystem. Simpatico Systems can assist in assessments, recommendations, remediations, technical control implementations, and assessment readiness preparation for your organization that is based on a validated processes.