December 27, 2023

Last Updated on December 5, 2024

With the final DFARS rule now in the public record, we know that Cybersecurity Maturity Model Certification (CMMC) assessments conducted entirely by a C3PAO with no DoD assessor support are now on the horizon. It is now only a matter of time for defense contractors to see the CMMC certification requirement on future or renewing contracts.

Contractors today should be focused on two things: 1. Scheduling their CMMC Assessments and 2. the next revision of NIST SP 800-171. The focus of implementing the security controls of NIST SP 800-171 is now past us. To make this even more clear, we are beyond the days of “thinking about CMMC” and now fully in the days of “your organization should already have the security controls of NIST SP 800-171 in place.” This means organization should now know when they can schedule a CMMC Assessment, and should also be ready to leverage previously implemented Risk and Security Assessment controls to determine what is needed to fully implement the third revision of NIST SP 800-171.

NIST SP 800-171 and CMMC are not only about security controls but also a continuously maintained information security program. Contractors must prioritize their obligation to protect Controlled Unclassified Information (CUI) using an established information security program or be left behind.

 

A brief history of CMMC:

In the ever-evolving landscape of cybersecurity, the protection of CUI has become a paramount concern for the U.S. Federal government. Over the years, various measures and frameworks have been introduced to safeguard CUI, with a particular focus on defense contractors. Looking back, let’s explore the journey from the introduction of CUI by the U.S. Federal government to the current state of CMMC assessments.

 

Executive Order 13556 and the Birth of CUI:

The foundation for the protection of Controlled Unclassified Information was laid with the issuance of Executive Order 13556 in November 2010. This order aimed to establish an open and uniform program for managing information designated as CUI across the federal government. Recognizing the sensitive nature of CUI, the order emphasized the need for standardized practices to prevent unauthorized access and disclosure.

 

DFARS Clauses and NIST SP 800-171:

Building on the executive order, the Department of Defense (DoD) introduced the Defense Federal Acquisition Regulation Supplement (DFARS) clauses, specifically DFARS 252.204-7012. This clause mandated that contractors implement the security requirements outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171 “Protecting CUI in Nonfederal Systems and Organizations”, and it’s original date of full compliance was December 31, 2017.

These requirements focused on protecting CUI through a comprehensive set of security controls, covering areas such as access control, incident response, and encryption, among others. Contractors were now obligated to meet these standards to ensure the confidentiality and integrity of CUI, but compliance with the required security controls was completely up to the contractor with the government unable to easily ensure that contractors had implemented the required controls.

 

CMMC Takes Center Stage:

Recognizing the need for a more robust and scalable approach to ensuring contractor compliance with NIST SP 800-171, the Department of Defense introduced the Cybersecurity Maturity Model Certification (CMMC) framework. CMMC builds upon the foundation laid by NIST SP 800-171 by establishing an ecosystem of commercial assessors and CMMC assessments. Although there have been changes to CMMC as the model has rolled out, the intent of enforcing NIST SP 800-171 has not wavered.

 

CMMC Assessments and C3PAOs:

To ensure compliance with CMMC, contractors will undergo assessments conducted by Certified Third-Party Assessment Organizations (C3PAOs). These organizations, authorized by the Cyber Accreditation Body (formerly CMMC-AB), play a crucial role in evaluating a contractor’s cybersecurity maturity and certifying their compliance with the required level. As of 2023, contractors have already begun being assessed under the Joint Surveillance Assessment program with CMMC assessments conducted together by a C3PAO and the DoD’s own security assessors (DIBCAC).

CBIZ Pivot Point Security is a Registered Practitioner Organization (RPO) with Certified CMMC Professionals (CCP) and specializes in helping companies assess their cybersecurity and compliance risk. Contact us to talk about how we can help your organization on the path to CMMC compliance.