Throughout 2021 and much of 2020, the DoD worked to develop a new cybersecurity process. These steps ensure Defense Industrial Base (DIB) contractors meet requirements for handling controlled, unclassified data.
The process, called the Cybersecurity Maturity Model Certification (CMMC), premiered in 2020 and immediately impacted many federal contractors.
The new CMMC 2.0 framework, released in late 2021, provides a streamlined version of the CMMC. Federal contractors will soon need to follow this updated version.
Once codified via legislation, the DoD will require all DoD contractors to adhere to different CMMC levels depending on the controlled data that they have access to.
DIB companies, including cloud service providers and businesses reliant on CSPs, that are awarded DoD contracts of a certain value will need to be aware of CMMC 2.0 security requirements and related programs, like FedRAMP.
This level will develop and strengthen the cyber-defenses of contractors without critical information. Any data at this level isn’t a matter of national security.
Only cloud services that store controlled unclassified information (CUI) need to meet CMMC 2.0 level 2 requirements. These businesses will need triennial third-party assessments for “critical national security information” in addition to the level 1-required self-assessments.
Details for level 3 are not currently available but will be based on a subset of NIST SP 800-172 requirements.
These CMMC levels are similar to other DoD security models and frameworks, like FedRAMP and CC SRG. They progress upwards, requiring greater cybersecurity investment as businesses handle more sensitive information.
Third-party cloud services used by DIB companies and contractors need to meet CMMC 2.0 requirements. However, they may or may not need to meet related requirements, like FedRAMP. It depends on the function they perform and the access they have.
In an article for CMMC Audit Preparation, Amira Armond, the president of cybersecurity provider Kieri Solutions writes that, in absence of DoD guidance on CMMC and third-party cloud services, it can be a good strategy to assume cloud services with management access to a CUI system are in scope for CMMC requirements.
For example, a third-party edge computing solution that contractors use to store or manage CUI would likely need to meet both CMMC requirements and have FedRAMP authorization. Because edge computing solutions can be hard to secure, contractors using them may struggle to meet CMMC guidelines.
However, these cloud services may not require FedRAMP authorization if they do not process or store CUI.
In the article, Armond included an email from John Ellis, the Quality Assurance Director (Acting) of the DCMA). Ellis clarified that a cloud antivirus service would not need moderate or high authorization if it didn’t have access to the CUI itself.
Remaining consistent from CMMC 1.0 to 2.0 is the potential for DoD cybersecurity audits. 2.0 will only require these audits for level 3 businesses. DIBCAC (the DoD’s Defense Industrial Base Cybersecurity Assessment Center) will likely be authorized to audit contractors on their implementation of NIST 800-171 practices.
During the audit, the DIBCAC audit team will review the contractor’s System Security Plan (SSP) and compliance with the NIST 800-171 standard. Audit scores are stored in the DoD’s SPRS (Supplier Performance Risk System).
CMMC 2.0 extends the Department of Defense’s approach to contract cybersecurity and builds on existing programs, like FedRAMP. Cloud service providers that work with the DoD should prepare to become compliant with the program’s requirements.
Follow Us On
Get the latest tech stories and news in seconds!
Sign up for our newsletter below to receive updates about technology trends