CMMC 2.0 and FOCI Assessments: Preparing for What Lies Ahead By Jaclyn Jaeger
Defense contractors and subcontractors that handle Controlled Unclassified Information (CUI) and do not have robust information-security system controls in place better get their house in order now if they want to do business with the U.S. government before the initial implementation phase of Cybersecurity Maturity Model Certification (CMMC) 2.0 begins next year. In December 2023, the Department of Defense (DoD) published a proposed rule outlining a “comprehensive and scalable” assessment program as a way for the DoD to validate that defense contractors and subcontractors have implemented the security protections required by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171, Revision 2, which describes security requirements for protecting CUI in nonfederal systems and organizations. Although NIST recently published the final version of 800-171 Revision 3, the DoD said it is not incorporating that version into the CMMC program at this time.
6th National Forum on
FOCI
September 20–21, 2023 The Madison Hotel Washington, D.C.
LEARN MORE
CMMC 2.0: Three assessment levels The CMMC program’s purpose is to verify and provide assurance that robust security safeguards are in place to protect sensitive unclassified information shared between the DoD and its contractors and subcontractors, or generated by contractors and subcontractors. CMMC 2.0 establishes the following three levels of assessments, depending on the type and sensitivity of the information: • Level 1: Contractors and applicable subcontractors must verify through an annual self-assessment that they have implemented all 15 security requirements required by FAR clause 52.204–21, which outlines basic safeguards for CUI. The results of the assessment must be entered electronically in the Supplier Performance Risk System (SPRS). • Level 2: Contractors and applicable subcontractors must verify that they have implemented all 110 security requirements of NIST SP 800–171 Rev 2. The DoD will determine on a contract-by-contract basis whether a selfassessment requirement will suffice or whether the assessment needs to be performed by an accredited CMMS Third Party Assessment Organization (C3PAO). Self-assessments would be performed on a triennial basis, while a third-party certification will be good for up to three years. • Level 3: These are the highest priority, most critical defense programs that will require government-led assessments. Once CMMC 2.0 is finalized, contractors and applicable subcontractors must implement the 24 selected security requirements from NIST SP 800–172. CMMC Level 2 is a prerequisite for CMMC Level 3.
1/3