Since becoming law in 2017, NIST 800-171 has governed the protection of Controlled Unclassified Information (CUI) by DoD contractors and subcontractors. Companies must adhere to the specific 110 controls of NIST 800-171 in order to be eligible for and complete government projects that involve CUI.
While companies may have been able to ‘’self-attest’’ to NIST 800-171 requirements in the past, the DoD has strengthened its review and enforcement. With the implementation of the DFARS Interim Final Rule in 2020, companies are now required to submit a scored self-assessment into the DoD’s Supplier Performance Risk System (SPRS) based on their compliance with the 110 requirements of NIST 800-171.
Expected to begin in 2024, defense contractors and subcontractors will have to certify—and potentially overhaul—their cybersecurity controls and policies to comply with Cybersecurity Maturity Model Certification (CMMC). Companies that fail to abide by the cybersecurity standards required by their contracts may face hefty penalties, which could be as much as the entire contract value. These penalties and the potential loss of government contracts could create substantial risks to businesses’ revenue streams.
Depending upon the level of cybersecurity maturity your company needs to meet requirements, it could take months to become compliant. If your business is already compliant, you still need to ensure continuous monitoring support is in place to meet requirements.
After rigorous evaluation and industry feedback, CMMC 2.0 simplifies the original CMMC 1.0 release by reducing the maturity level from five levels to three. This simplification aims to provide organizations with a more streamlined, manageable, and cost-effective solution, allowing for a more gradual implementation of security measures. It also creates improved standardization across the defense industry and encourages more consistent adoption for overall improved cyber hygiene and supply chain resilience.
Whether you need Level 1, Level 2, or Level 3 CMMC compliance, it’s important to get started now!
Level 1 is 17 controls, and the 54 page assessment guide applies to companies that focus on protecting Federal Contract Information (FCI) and is based on FAR 52.204-21. These controls protect covered contractor information systems and limit access to only authorized users.
Level 2 is 110 controls (inclusive of Level 1), 320 assessment objectives, and a 270 page assessment guide that applies to companies working with Controlled Unclassified Information (CUI). The requirements of Level 2 are now completely aligned with NIST 800-171.
Level 3 focuses on reducing risk from Advanced Persistent Threats (APTs) and is designed for companies working with CUI on the DoD’s highest priority programs. Specific security requirements are still being determined by the DoD, but will most likely be based on the 110 controls of NIST 800-171 in addition to a subset of NIST SP 800-172 controls.
According to the Department of Justice (DoJ), the False Claims Act is “the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations.” Not being up-to-date with requirements or misrepresenting your compliance status not only puts CUI at risk, but could jeopardize your business’ success and reputation as well.
Firms that fail to abide by the cybersecurity standards in their contracts may face hefty penalties. Those penalty fines, combined with the potential loss of existing or future government contracts, could create substantial risks to business’ revenue streams.
There can also be criminal risk for knowing and willfully making a false claim or statement. Such reckless misstatements risk liability under the False Claims Act.
In a 2022 settlement by the DOJ, a DoD manufacturer was fined $9.0M and a whistleblower and former employee received $2.61M as his share of the False Claims Act recovery.
CMMC certification will be required of any contractor or subcontractor that stores, processes, or transmits any Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).
The length of time it takes to become CMMC certified will depend on which maturity level you intend to achieve and your current state as it relates to your network and cybersecurity.
These timelines will vary depending on your organization’s size, complexity, and current security posture.
As a DoD contractor ourselves, SSE can help your business achieve and maintain CMMC compliance and provide the essential elements to simplify the process.
SSE has been accredited by The CYBER AB (formerly the CMMC Accreditation Body) as a Registered Provider Organization (RPO), and we have maintained networks to the NIST 800-171 and NIST 800-53 standards since they came into existence. Our experience in managing classified data and controlled unclassified information (CUI) through evolving cybersecurity regulations is built on established expertise and customer service.
Our mission at SSE is to accelerate business and human performance through technology-enabled solutions and services. We value teamwork, integrity, and quality while keeping a service-minded focus to intently serve our client-partners.
When you work with our team, we create a customized plan for compliance. Not only do we help you work through the initial assessment and remediation work, but we continue our role as trusted advisor, maintaining service and ongoing support to ensure compliance with industry standards.
Many of our clients have been working with us for years, with our average tenure being eight+ years. Our proven performance has been recognized not only by our clients, but through industry partners as well. SSE has been listed on the 501 Global List by MSPmentor every year since 2017 and St. Louis Small Business Monthly has awarded us as the Best IT Firm six times and Best in Customer Service three times.
CMMC, or Cybersecurity Maturity Model Certification, is a program from the U.S. Department of Defense (DoD) that is applicable to Defense Industrial Base (DIB) contractors to ensure that DoD contractors are properly protecting sensitive information.¹
All DoD contractors will be required to comply with CMMC. Companies that intend to work with federal contracts in any form should consider CMMC compliance a minimum requirement to display competency in matters of cybersecurity.²
If your company were to fail a compliance audit or not meet the CMMC requirements, you’ll miss out on any and all government contracts that require this compliance.³
As a long-standing DoD contractor and IT and cybersecurity services provider, SSE has been supporting DoD contracts for over 12 years, managing networks to meet regulatory compliance.
Depending on the scope and maturity of an organization and their information system, compliance efforts from assessment to audit-ready could take 3-6 months or longer.
Getting stated as soon as possible with a Gap Assessment can provide the documentation needed now for NIST 800-171 and to help inform your organization’s specific needs, timeline, and budget to plan for CMMC certification.
https://www.sseinc.com/wp-content/uploads/2021/12/AdobeStock_313456871-scaled.jpeg
1166
2048
Robert Duffy
https://www.sseinc.com/wp-content/uploads/2019/03/SSE-Final-Logo-01-1-1030x365.png
Robert Duffy2021-12-01 19:08:552023-04-14 15:09:34Key Updates in CMMC 2.0
https://www.sseinc.com/wp-content/uploads/2021/10/Untitled-document-e1633378986368.jpg
200
338
Robert Duffy
https://www.sseinc.com/wp-content/uploads/2019/03/SSE-Final-Logo-01-1-1030x365.png
Robert Duffy2021-10-04 20:18:122023-04-14 14:56:40What to Know Before Your NIST 800-171 Assessment Submission
https://www.sseinc.com/wp-content/uploads/2020/09/Screen-Shot-2020-09-07-at-12.10.43-PM.png
350
638
Robert Duffy
https://www.sseinc.com/wp-content/uploads/2019/03/SSE-Final-Logo-01-1-1030x365.png
Robert Duffy2020-09-07 16:14:262023-03-08 22:11:49Why Did The DoD Create CMMC?SSE is a certified Women-Owned Small Business with over 30 years of experience in both the technology and training industries, serving commercial and government markets.
