DOD Is Cracking Down on Cybersecurity: What You Need to Know

CMMC
October 3, 2022

With the frequency and severity of cyber threats and attacks intensifying, the Department of Defense (DOD) is stepping up its game and cracking down on cybersecurity by pushing its supply chain to improve cyber defense capability. The DOD is responding to the lagging implementation of its cybersecurity requirements by introducing new evaluation processes.

“DIB (Defense Industrial Base) cybersecurity is and will remain an expanding priority for the U.S. Department of Defense”, according to Deputy Defense Secretary, Kathleen H. Hicks. With nearly one million civilian employees and tens of thousands of contractors worldwide in a variety of fields, including technology and engineering, this will be no small mission as the DOD takes an aggressive stance of stricter standards and expectations of civilian employees and contractors who work with sensitive information.

Defense Federal Acquisition Regulation Supplement (DFARS) compliance is a set of cybersecurity regulations that defense contractors and suppliers have followed since 2016 to do business with the agency. DFARS is a supplement to the Federal Acquisition Regulation (FAR) which is the principal set of rules used by all executive agencies in their acquisition of supplies and services with appropriated funds. DFARS strives to maintain cybersecurity standards consistent with requirements defined by the National Institute of Standards and Technology (NIST), a non-regulatory federal agency within the Department of Commerce.

NIST SP 800-171 has been the framework for protecting Classified Unidentified Information (CUI) on the networks of third-party government contractors and subcontractors since 2017. Think of it as a catalog of data security controls. CUI includes legal material, physical documents, emails, contractor information, technical drawings and blueprints, intellectual property, as well as many other types of data. NIST SP 800-171 consists of 110 requirements organized into 14 families. Each requirement covers specific components of an organization’s IT policies, practices, and technology. Contractors are required to implement NIST SP 800-171 to demonstrate DFARS compliance.

Unfortunately, it appears that the requirements for DFARS compliance is not where it should be for confidence in cyber protection. The self-attestation practice used by prime contractors to evaluate compliance by their subcontractors and suppliers was audited by the DOD with an alarming outcome that found significant compromises of sensitive defense contractor information systems. This confirmed worries about lax cybersecurity, as well as the use of self-assessment and attestation as a method to evaluate contractor compliance.

The CMMC 2.0 is the DOD response to compromises of sensitive information located on contractor systems due to weak security and compliance practices. The DOD launched the CMMC 2.0 standard to protect CUI and the Defense Industrial Base from frequent, complex, and increasingly dangerous cyberattacks. The framework is designed to ensure contractor competency, capacity, and compliance in cybersecurity.

CMMC 2.0 combines the controls from NIST and other sources into three levels: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). These CMMC 2.0 levels are based on the type of information DIB companies handle.

  1. Level 1 = At the foundational level, requirements align with FAR 52.204-21 to provide basic safeguarding of covered information systems owned or operated by a contractor or supplier that processes, stores, or transmits Federal contract information. 17 practices must be met and an annual self-assessment is required.
  2. Level 2 = The advanced level mirrors the 110 NIST SP 800-171 requirements. While annual self-assessments will be conducted for select programs, third-party evaluations for critical national security information will occur on a tri-annual basis.
  3. Level 3 = At the expert level, requirements dovetail with all of the 110 NIST SP 800-171 practices and some or all of the 35 NIST SP 800-172 controls. Assessment at this level will be DOD-led and conducted tri-annually.

Conclusions

The message is clear. It is essential for contractors to be vigilant in meeting current and future contractual obligations. This is not the time to procrastinate. The DOD means business and it will not accept the status quo from contractors while the agency’s cyber program comes together. NIST SP 800-171 preparation can take up to 18 months. The recently announced date for the interim rule is May 2023, with the CMMC 2.0 added to contracts 60 days later in July 2023. For planning purposes, businesses that handle CUI should aim to be compliant by July 2023. The DOD and other government agencies will continue to prioritize cyber compliance, so it is critical that contractors who compete for contracts in this challenging space become hyper-proactive and attentive to their own capacities, capabilities, and readiness to perform successfully in this evolving landscape.

Leave a comment

Your email address will not be published. Required fields are marked *