Unfortunately, the time for delaying or denying the CMMC deadlines and requirements for your contractor are coming quickly to an end. Since January of 2020, the Department of Defense has been pulling a Paula Abdul on its CMMC requirements …. “2-steps forward and 2 steps back”. But that is quickly coming to a close as we have more definitive parameters, firm-fixed deadlines, and certified, third-party assessors ready and able to complete the process.
For deeper insight, we’ve asked one of our experts in the field, Toby Musser, CEO of MNS Group, a CMMC third-party assessment organization (C3PAO) and Registered Provider Organization (RPO) to assist in breaking down some important details for DoD contractors, both Prime and Subcontractors alike and the deadlines they need to pay attention to
While the original CMMC model has been modified, it is important to note where some of the biggest changes are and how that will apply to your company so you understand the level of disclosure and compliance you will be asked to provide. According to a recent article by Musser, “The first step of your CMMC readiness assessment involves determining which of three levels applies to your company under CMMC 2.0. The type of sensitive information that your organization handles will determine the requirements for cybersecurity in the CMMC model.” The levels were modified down to 1-3, with level 1 contractors permitted by the DoD to self-assess, while levels 2 and 3 require a third-party audit.
Musser writes, “As of February 2022, the DoD removed the ability of level two companies to self-assess. As a result, all organizations at level two must submit to a third-party assessment every three years with annual checkups. When CMMC 2.0 first came out, certain level two companies were allowed to self-attest. However, the DoD couldn’t come up with a system to properly identify which sensitive information required a third-party audit and which did not. As a result, level two companies may no longer self-attest. The DoD lists 110 security controls for level two, but each control has many sub-requirements. Each requirement is listed in a 271-page self-assessment guide released for the purpose of helping companies establish the policies, procedures, and practices necessary for compliance.” Level 3, when compared to the original model, is relative to level 5 and is the strictest level of compliance and applies mostly to federal agencies or contractors that “[…]process, store, or transmit CUI associated with a critical government program or high-value asset.”
Another significant change is with regard to responsibility.
Musser says, “ Now, a named individual—usually a company officer—must attest to complete and forthright representation of a company’s security policies. Violations, which include failure to report a breach, result in penalties including fines and jail time[…]The emphasis on individual responsibility stems from the Department of Justice’s Civil Cyber-Fraud Initiative, which it announced in October 2021. The teeth behind the initiative is the False Claims Act, which holds individuals accountable for deficient cybersecurity practices. Plus, the False Claims Act protects whistleblowers, individuals who point out violations in cybersecurity procedures.”
We can assume that with the DoD’s finalization and deadline rollouts for DoD manufacturers, and with compliance beginning as early as May 2023, other agencies will follow suit.
National security and defense is a top priority of the Department of Defense, but that is not to say that information security and compliance oversight in all other federal agencies is not as important or as likely to be compromised by our adversaries across the globe. It is reasonable to say the framework established in CMMC will be adopted in some form by all government agencies in the coming years, so all prime and subcontractors would be wise to start their compliance journey and updates today.
We advise all in our GovCon network to seek consultation on CMMC compliance and how it applies to you from MNS Group or any of the other preferred providers entrusted by Team Parabilis for this purpose.
*Special thank you to @Toby Musser and his team at MNS Group for your expertise and contribution to this blog.