CMMC and the Interim Rule: A Definitive Guide For What Contractors Need to Know Today

CMMC, as you know by now, stands for Cybersecurity Maturity Model Certification — a program created by the United States Department of Defense (DoD) to determine the readiness, capability and sophistication of its Defense Industrial Base (DIB) in the area of cybersecurity.

Not only is the DoD itself is an attractive target for malicious cyber-attacks, so are its more than 300,000 contractors and subcontractors. Hence the better-late-than never cybersecurity certification standard that is CMMC.

A Quick Definition of the CMMC Certification

CMMC or Cybersecurity Maturity Model Certification is a new certification procedure for analyzing the cybersecurity capabilities of contracted companies. The certification assesses the cybersecurity controls and policies of contractors in a bid to ensure these companies can protect the Confidential Unclassified Information (CUI) they regularly handle as part of working on defense contracts with the military.

Before CMMC, these same contractors could self-certify their compliance under the applicable DFARS (Defense Federal Acquisition Regulations). Breaking news: most such companies were not nearly as secure in their cyber practices as claimed.

Furthermore, contractors weren’t required to provide evidence that what kind of security practices they were following.

Also Read:

How to get CMMC Certification? Everything you need to know about CMMC

Understanding the Different Levels of CMMC Certification

The CMMC classifies all cyber practices and processes into five levels ranging from basic cybersecurity to advanced security operations. Contractors will have to live up to one of these levels depending on each DoD contract and the type of CUI they might be handling as a result.

Level 1:

It is basic yet important for all higher CMMC levels. This level is built around the protection of Federal Contract Information (FCI), which is government information not meant for public use.

Level 2:

Level 2 requires an organization to create and document practices and policies to implement their CMMC efforts.

Level 3:

At this level, organizations are supposed to maintain activities and assess policies and processes, demonstrating a plan to manage particular activities. This level is roughly equivalent to NIST 800–171, with which many contractors are familiar.

Level 4:

Level 4 needs improved cybersecurity practices that can offer protection against advanced threats or long-term attacks. This level also requires organizations to review and document activities for effectiveness and inform upper management of any problems.

Level 5:

Level 5 is the most advanced and is dedicated to the protection

These five CMMC certification levels represent the maturity and reliability of a contractor’s cybersecurity infrastructure and controls, and their ability to protect critical information.

Achieving any level implies that an organization has also met and is practicing all the security requirements of the levels below.

Critical DOD contracts require contractors to meet higher security standards, which means that only a small percentage of the DIB which handles the most sensitive information will have to attain level 4 or 5 CMMC certification. Level 3 contracts will be far more common.

What are the CMMC Components?

The key CMMC components are domains, processes, capabilities and practices.

How to Prepare for a CMMC Certification?

Even though the total implementation the CMMC across the DIB will take nearly five years, companies should already be preparing for their certifications as early as possible due to the new Interim Rule which recently went into effect. More on that in a moment.

For now, contractors must realize that creating policies, incorporating solutions and instituting the necessary changes will take significant time. Make sure to plan for at least six months to truly create a new culture of compliance if there doesn’t already exist a meaningful level of cyber hygiene at your organization.

Because more and more defense contracts will require CMMC certification by the end of the year, it is best to start with your certifications preparations right away.

Let the “Interim Rule” Guide Your Path

On September 29, 2020, a new interim rule was announced by the DOD to introduce a new compulsory construct known as the DOD Assessment Methodology. Because full CMMC implementation will take through 2025, the Interim Rule is intended help secure the DIB now. It amends the DFARS or the Defense Federal Acquisition Regulation Supplement.

Having already gone into effect on December 1, 2020, the Interim Rule requires a self-assessment against NIST 800–171 based on a new scoring framework. Companies must list their gaps, define a date by which they will be filled, then create both a POAM and an SSP to govern their cyber practices in the meantime.

Any contractor who hasn’t already fulfilled the requirements mentioned in the paragraph above is already at risk of being shut out of future contracts.

In case you haven’t yet conducted the required self-assessment, here are 5 key points from the defense department’s recent Interim Rule:

  1. As of December 1, 2020, all contractors were required to publish a self-assessment based on their handling of Controlled Unclassified Information (CUI)
  2. The Self-Assessment must also include a System Security Plan (SSP) with a Plan of Action and Milestones (POAM) describing the current state of their network and their plan to achieve 100% compliance with the NIST 800–171 requirements
  3. Prime Contractors must flow this requirement down to their subcontractors/suppliers that handle CUI as well
  4. DCMA will conduct random audits to ensure companies have not only completed the self-assessment, but have scored themselves accurately, have an SSP and are working towards completing a realistic POAM
  5. Contractors that handle CUI need to complete a new self-assessment and post it with DISA before a contract will be awarded going forward.

The self-assessment is something many contractors can complete internally but the SSP and POAM are more nuanced and may require help — particularly for those organizations intending to maintain a culture of compliance, rather than just checking a box today and forgetting about cybersecurity tomorrow.

We have been helping small and mid-sized contractors become compliant quickly and cost effectively, which means we have just the experience you need if you haven’t yet complied with the Interim Rule.

If you aren’t prepared, you are not alone but you are at risk of losing future contracts. To explore how we can help, contact us to set up a time to speak.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store