What are the CMMC requirements?
The cybersecurity maturity model certification safeguards sensitive national security information. The Department of Defense (DoD) launched CMMC 2.0, a comprehensive framework – comprising three levels – to protect the defense industrial base from increasingly frequent and complex cyberattacks. David McKeown, senior information security officer, and deputy CIO for cybersecurity at the Department of Defense, shared during The Cybersecurity Landscape: Bridging the Gap that “[DoD is] doing the right thing to protect the right data at the right levels for those three levels versus trying to throw a blanket over all 220,000 companies that are out there.”
DoD CMMC requirements can now be broken down into three levels for the 220,000 companies that have defense contracts:
- Level 1 – Evaluate your company using 17 controls and submit assessment to Supplier Performance Risk System (SPRS).
- Level 2 – Leverage third-party assessment organization (3PAO) evaluating criteria based on NIST requirement 800-171 to get certified.
- Level 3 – Undergo 3PAO assessment of their ability to safeguard controlled unclassified information (CUI) and additional assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) that will look at NIST requirement 800-172
What is the DoD zero trust architecture approach?
The Office of Management and Budget (OMB) released a Federal strategy to move the U.S. Government toward a “zero trust” approach to cybersecurity. This memorandum sets forth a Federal zero trust architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of fiscal year (FY) 2024 to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns.
“It is going to be a major culture shift [at DoD],” said McKeown. “We have started with defining a DoD zero trust reference architecture that we use within the department. We published that over a year ago – just prior to the SolarWinds incident being announced. We were on the path already within the department to start implementing zero trust.”
Under zero trust, user access is limited, and identity verification is required to contain damage if a device or system is compromised.
“Zero trust will stop you from escalating your privileges, it segments you from other parts of the network, it restricts you to specific servers, and it makes it harder for you to break out and just wander around aimlessly within the network,” McKeown explained.
The cyber strategy also calls for an inventory of devices authorized for government use, so that security teams can detect and respond to incidents on those devices. In short, a zero-trust approach trusts no one.
“We have several pilots that have already been accomplished and several more underway,” McKeown added. “We have fought for dollars within the department to realign towards this new security architecture, from our old perimeter-based, signature-based architecture to this new zero trust environment. It is a great initiative.”
How to prevent future hacks with government contractor cyber security requirements?
The GSA is leading governmentwide efforts to strengthen cybersecurity for customer agencies by leveraging strategies and standards set forth by DoD. In fact, GSA recently signed a memorandum of understanding (MOU) with the Defense Innovation Unit (DIU) that will make it easier for federal agencies to access innovative technology solutions through its multiple award schedule. All these efforts, including holding contractors accountable for new and required cybersecurity obligations means a strengthened infrastructure to prevent future hacks.
The top five cybersecurity requirements that contracting firms should be familiar with are:
- Federal Information Security Modernization Act
- FAR 52.204-21
- DOD Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012
- NIST 800-171
- CMMC 2.0
Finally, encouraging healthy procurement competition and fostering a supportive environment for businesses of all sizes are essential to remaining on the leading edge of cybersecurity developments.
“We want to continue to drive and develop a thriving marketplace of new entrants and new innovative companies, because that is going to be vitally important so that we don’t get the same few players and the same known solutions,” Hashmi said. “We want to make sure that we don’t create an environment where it’s so hard for these smaller businesses to do business with the federal government. The burden is so large that we start losing innovation, losing new entrants, losing new abilities for us to move the needle.”
[Gather recompete data, place of performance information, security clearance requirements and more with the most powerful search tools on the market. Request a demo.]