Last Updated on January 19, 2024
We Don’t Think We Need CMMC Level 2 but the Government Says We Do…
Since the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) first appeared on the horizon in 2020, orgs across the US defense industrial base (DIB) have been saying that CMMC shouldn’t apply to them because they don’t have controlled unclassified information (CUI). Or they should be exempted from CMMC compliance because they are selling a COTS product.
What can you do if you think this is you? George Perezdiaz, NIST/CMMC Consultant at Pivot Point Security, addresses these and many other top CMMC questions on a special “CMMC Q&A” episode of The Virtual CISO Podcast. Hosting the show and firing the questions is Pivot Point Security CISO and Managing Partner, John Verry.
Do you really not have CUI?
Say you work for a small DIB staffing company that “just puts bodies on bases.” The government is telling you to prepare for CMMC Level 2 compliance. But you don’t think you handle any CUI on your systems or networks. How do you respond?
George points out that the first step is to look carefully at your contract(s) and what you’ve agreed to do for the DoD. If you accepted a DFARS 7012 clause in your contract, you’re required to implement the NIST 800-171 framework that is the foundation of CMMC Level 2.
“One thing to remember is that the information the DoD provides you may be CUI because of the job description, the personnel, the technology skill requirements…” George advises. “Things of that nature can give insight into the DoD’s priorities. If I need 15 satcom professionals at name a base or military installation, now I’m giving insight into what the DoD is planning to do with the mission in that particular installation. The things that look trivial may not actually be that casual.”
George shares that things like flight schedules can be not just CUI but Classified. Data that might look unimportant can actually tip off an adversary on what the DoD is planning.
“Likely they have CUI and they just don’t know it,” George states.
When in doubt, build a CMMC enclave
What if your contract has a DFARS 7012 clause today but you really, truly don’t have any CUI? One solution could be to build a special enclave to capture any CUI that gets sent your way. That way you’re “CUI ready” and can even achieve CMMC Level 2 certification.
“We actually have clients that say they don’t have CUI, but they want to continue to play in that space,” notes George. “They asked, ‘Can I get CMMC ready?’ And we did that. We built them a secure room with a key and a lock and cameras and fences, and it’s empty. Whenever the DoD says, ‘Here’s your CUI,’ they can comfortably say, ‘I can put it here, in this secure room.’”
“So there’s no need to panic and run around like crazy [when CUI comes],” adds George. “They are ready. And that [scenario] is more normal than you would think.”
What about COTS only contracts?
Another common concern across the DIB is: “We just sell COTS parts to the DoD. Do we still need CMMC Level 2 and NIST 800-171?”
To address this issue, you’ll need to look very carefully at exactly what goods you’re providing and whether they meet the DoD’s definition of COTS products. Per the current DFARS 7012 clause, COTS-only contract scenarios are generally exempt from CMMC Level 2 compliance—but not from CMMC Level 1, since you are probably handling federal contract information (FCI).
George advises: “One thing to remember as you look at the services you provide to the DoD, is it a commercial product? Is it offered to the government under contract without modification? That generally says, ‘Hey, this is a COTS product. DoD, I don’t need to have CMMC Level 2 because these things apply.’ So, at the end of the day, just know your rights, know the end applicability of that product and you’ll be in good shape there.”
Next steps?
To hear this special CMMC Q&A podcast episode in its entirety, click here.
Are you considering working with a CMMC Registered Provider Organization (RPO) like Pivot Point Security? Here’s guidance on what to consider when choosing your RPO: CMMC 2.0: Choose Your Registered Provider Organization Carefully