To answer what is the status of CMMC, let’s go back a bit. DFARS, or the Defense Federal Acquisition Regulation Supplement is a part of all Department of Defense (DOD) contracts. There are DFARS clauses that are relevant to information security.
Today, the DFARS clauses (7012 & 7019) require contractors to self-attest that they are following the 110 controls outlined in the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171). Over time, the DOD has found that these rules have been largely ignored. The CMMC (Cybersecurity Maturity Model Certification) was created to enforce DFARS compliance. Each of the 110 controls is weighted (5-point, 3-point, and 1-point) in the proposed CMMC assessment.
CMMC has three levels. Level 1 is for organizations that do not interact with Controlled Unclassified Information (CUI). Level 2 applies to those organizations that handle, store, or are exposed to CUI. Level 2 will require an assessment performed by a Certified Third-Party Assessor Organization (C3PAO). Level 3 will also need a Level 2 assessment as well as an audit from the DOD Defense Industrial Base Cybersecurity Assessment and Certification Program (DIBCAC ARM).
The relevant DFARS clauses for this discussion are:
- DFARS 252.204-7012 addresses Controlled Unclassified Information (CUI) and requires compliance with NIST SP 800-171 and a System Security Plan (SSP).
- DFARS 252.204-7019 requires a self-assessment and the submission of a Supplier Performance Risk System (SPRS) score.
- DFARS 252.204-7020 gives the right to the DoD to assess the contractor. The contractor must also hold their subcontractors responsible for having an SPRS score.
- DFARS 252.204-7021 (proposed rule) will require CMMC 3rd party assessments for Level 2 and a DIBCAC assessment for Level 3
Since its inception, CMMC has been a work in progress. The CMMC Version 2 proposed rule was published on December 26th, 2023. Currently, we’re in a 60-day comment period where people can share their thoughts. After this, there will be a response period that might last up to 280 days. The final rules are expected to be published in early to mid-2025.
What does this mean for Arkansas DOD contractors?
If you have a DOD contract, check it for these DFARS clauses. If there is one in your contract, you will need to begin the process of self-attestation that you’re compliant with NIST SP 800-171. Once CMMC has been published and phased in, all new DOD contracts will require a third-party CMMC assessment if your organization is a CMMC Level 2 or 3. The assessment will be pass-fail.
Over 100,000 organizations are expected to need an assessment. Today, there are only 50 approved C3PAOs. Once you get started on the CMMC journey, you can expect it to take 12 to 18 months to prepare for and gather evidence you will need to create and substantiate a System Security Plan (SSP). Your SSP may include Plans of Actions & Milestones (POAMs) which can be used in the assessment if you meet 88 out of the 110 controls and the remaining 22 1-point controls have yet to be met. The C3PAO will decide whether to accept your POAMs or not. All POAMs must be completed within 180 days, or you will fail and potentially lose your contract.
About Mainstream Technologies
Established in 1996, Mainstream Technologies has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
Mainstream Technologies is certified by the CYBER AB as a Registered Provider Organization (RPO) to help organizations meet CMMC requirements. We offer Governance Risk and Compliance Consulting, CMMC Readiness Assessments, Workforce Awareness Training, Vulnerability Management, Managed Detection and Response, and File Integrity Monitoring.
For more information, please contact Daniel Weatherly @ 501.801.6706.