The DoD Contractor's Guide to CMMC Level 2

The Need for the Cybersecurity Maturity Model Certification

In a recent Identity Theft Resource Center report, they estimate that the United States government and military faced over 80 data breaches in 2019. As a result, over 3.5 million sensitive records were exposed. With cyber threats posing more significant hazards for the defense supply chain than ever before, along with physical threats from rival nation states, now is the time to reinforce cybersecurity priorities across the board.

DFARS, NIST, and CMMC

While the U.S. government's initial approach to introducing fundamental security controls into the national defense supply chain called for compliance with NIST SP 800-171 through DFARS 252.204-7012, these measures weren't enough. The Cyber Security Model Certification (CMMC) was released in early 2020 to reduce unauthorized disclosure of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

Unlike the NIST SP 800-171, the CMMC does not offer the option to self-certify, as it requires a sign-off from a C3PAO, third party assessor. The CMMC certification process will begin as C3PAOs become available (est. late 2021). Failure to meet any qualifications required by a level will result in a lower level of certification and loss of DoD contract eligibility.

CMMC will replace NIST SP 800-171. As a precursor to CMMC, the DFARS Interim Rule (252.204-7019) establishes requirements for NIST SP 800-171 compliance scoring (SPRS score) and remediation beginning November 30, 2020.

Understanding CUI

There are currently 20 organizational index groups and 125 categories of data that are considered controlled unclassified information. Category groupings are either specific or general, but some of the more common specific categories include:

• Tax information
• Law enforcement data
• Critical infrastructure
• Controlled technical information, including schematics
• Unclassified nuclear
• Natural and cultural resources

Many defense contractors also create, store or process general categories such as:

• Controlled technical information
• Inventions and patent applications
• Proprietary manufacturer
• General proprietary business information
• General privacy
• Health information
• General procurement and acquisition
• Small business research and technology

> Request our CMMC Level 2 Self-Assessment Tool for a complete list of CUI categories

CMMC Compliance Requirements

The CMMC framework features three levels of cyber security maturity. Organizations with access to CUI must be certified at CMMC Level 2, whereas those with access to FCI only will need to be compliant at CMMC Level 1. As defined in DFARS 252.204-7019-7021, almost all 300,000+ DoD contractors have or handle CUI and must become CMMC Level 2 certified by October 2025 to remain eligible for DoD contracts.

To prevent exclusion from contracts as CMMC is implemented, contractors must determine whether their organization is subject to CMMC requirements, assess their compliance against the requirements of the level they need, obtain a gap analysis, remediate those gaps in compliance, and be audited through a Certified Third-party Assessor Organization (C3PAO) certification assessment.

* InfoDefense is a C3PAO candidate.

Steps to CMMC Compliance

1. Determine Your CMMC Requirements

First off, you need to determine what level of CMMC your business requires. Organizations with access to CUI must be certified at CMMC Level 2, whereas those with access to FCI only will need to be compliant at CMMC Level 1. Well over 90% of DoD contractors require CMMC Level 2 compliance. Along with our no-cost self-assessment tool, our CMMC experts can help you determine whether your business is subject to CMMC requirements and which compliance level you require.

2. Get Your Gap Analysis

Now that you know which CMMC level your business requires, the next step is a CMMC Gap Analysis that determines your state of compliance for each requirement. This can be accomplished through our CMMC Level 2 Self-Assessment Tool or a CMMC Gap Analysis performed by our compliance experts. Once complete, the analysis will detail each requirement and determine if your organization is currently prepared to meet compliance for it.

3. Implement Your Remediation

Once the assessment is completed and you have your gap analysis in hand, a detailed Plan of Action and Milestones (POA&M) should be created so that solutions required to ensure certification can be implemented. Your existing IT Team(s) can accomplish this, or you can partner with InfoDefense and we will help you achieve 100% compliance through our Standalone Services or CyberSecure 360, our comprehensive security and compliance managed services program.

4. Complete a C3PAO Certification Assessment

Unlike the NIST SP 800-171, contractors must be audited through a Certified Third-party Assessor Organization (C3PAO)* certification assessment to receive CMMC certification. The CMMC certification process will begin as C3PAOs become available. It is important to note that C3PAO cyber security consultants that aid a contractor with CMMC compliance remediation cannot perform that same contractor's Certification Assessment.

Failure to meet any qualifications required by a level will result in a lower level of certification and loss of DoD contract eligibility. As such, our CMMC Pre-Audit Assessment helps ensure that you've remediated any outstanding practices or processes found in your Gap Analysis, verifying 100% compliance before the auditing process takes place.

*InfoDefense is a C3PAO candidate.

CMMC is as simple as that with InfoDefense.

Call 972-922-3100 or contact us below for more information and guidance for your compliance needs.