What is the CMMC proposed rule?

The CMMC (Cybersecurity Maturity Model Certification) proposed rule is a framework set forth by the Department of Defense (DoD) that aims to enhance the cybersecurity posture of the Defense Industrial Base (DIB). The main changes introduced in the proposed rule include the emphasis on CMMC verification, which requires contractors to undergo third-party assessments to ensure their compliance with the required cybersecurity standards. Additionally, the rule specifies that non-reimbursable expenses will be incurred by contractors for the implementation of cybersecurity measures.

The recently released purpose of the CMMC proposed rule is to safeguard sensitive information and reduce cybersecurity risks within the DIB. It is a significant step towards ensuring that contractors and subcontractors adhere to specific cybersecurity requirements, thereby protecting critical information and technologies.

Upcoming milestones for the CMMC proposed rule include the phased approach for implementation, with a projected timeline for different levels of certification to be required for different contracts. This phased approach allows contractors to gradually meet the cybersecurity standards specified in the rule.

Overall, the CMMC proposed rule represents a proactive effort by the DoD to bolster the cybersecurity defenses of the DIB, with a focus on verification, non-reimbursable expenses, and a phased approach for implementation.

Need for strong cybersecurity measures in defense contracts

In defense contracts, the need for strong cybersecurity measures is critical to safeguard sensitive and controlled unclassified information from unauthorized access and exploitation. The Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) have established cybersecurity requirements to protect this vital data. Additionally, the introduction of the Cybersecurity Maturity Model Certification (CMMC) has further emphasized the need for enhanced security measures.

APTs present significant risks to defense contracts, as they are sophisticated and targeted attacks that can compromise sensitive information, disrupt operations, and undermine national security. Enhancing security measures, such as those outlined in NIST SP 800–171, is essential to protect against APTs and ensure the integrity of defense contracts.

Development and implementation of CMMC

The Cybersecurity Maturity Model Certification (CMMC) was developed by the Department of Defense (DoD) to enhance the protection of Controlled Unclassified Information (CUI) within the defense industrial base. The phased roll-out schedule for CMMC implementation was outlined in the Proposed Rule, with the effective date of the CMMC revision to the Defense Federal Acquisition Regulation Supplement (DFARS) anticipated to be in 2022.

The four-phased process for implementing the CMMC program, as laid out in the Proposed Rule, includes the establishment of the CMMC Accreditation Body, training and certifying a CMMC workforce, implementing CMMC requirements in new contracts, and gradually applying CMMC requirements in existing contracts as they come up for renewal or modification.

After the effective date of the CMMC revision to the DFARS, key points related to the implementation timeline include the gradual inclusion of CMMC requirements in new and existing contracts, the availability of certified third-party assessors, and the phasing in of CMMC levels over time to ensure compliance across the defense industrial base.

Key Components of CMMC Proposed Rule

The Department of Defense (DoD) has put forward a new regulation known as the Cybersecurity Maturity Model Certification (CMMC) Proposed Rule. This rule aims to strengthen the cybersecurity requirements for government contractors and their subcontractors. The proposed rule focuses on key components that outline the framework for achieving and maintaining a certain level of cybersecurity maturity. These components include certification levels, maturity processes, cyber hygiene, and the role of third-party assessment organizations. Understanding these key components is essential for contractors and subcontractors to prepare for compliance with the CMMC framework and ensure the security of sensitive government information.

Prime Contractor Responsibilities

Prime contractors in the CMMC Program have the responsibility to ensure compliance with the appropriate CMMC levels and assessment types for themselves and their subcontractors. They are tasked with verifying that all relevant security requirements are met and maintained throughout the duration of the contract.

The oversight for the CMMC Program is provided by the Department of Defense Chief Information Officer (DoD CIO) and the CMMC Program Management Office (CMMC PMO). They establish and maintain the CMMC standards, requirements, and processes, and provide guidance and support to prime contractors and subcontractors.

During the assessment process, the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessors play a critical role. They conduct independent assessments to validate the CMMC level achieved by the prime contractor and their subcontractors.

Overall, prime contractors have a duty to ensure compliance with CMMC levels and assessment types, while the DoD CIO, CMMC PMO, and DCMA DIBCAC assessors provide oversight and support throughout the assessment process.

How Triad Cyber Can Help

Leveraging our partnership with Compliance Island and Microsoft, we have established a CMMC/800-171 compliant platform. This platform provides a completely managed approach to addressing CMMC/800-171 requirements. The platform consists of the following major components to meet CMMC/800-171 requirements

  1. Security documentation including system policies and procedures
  2. Security tools & technology  configured and operationalized
  3. Office 365 Collaboration tools that can be used for secure collaboration
  4. Secure Azure environment where assets can be deployed in a compliant framework
  5. Security operations, service, and oversight to completely managed
  6. Support for migration of existing assets and technology into compliance platform

Implementing Triad Cyber’s CMMC/800-171 compliance platform significantly reduces costs, decreases time to market, and enables organizations to focus on their core business. The timelines below show how what can take years can be shortened to weeks.

Reach out to sales@traidcyber.net for more information.