How The Updated CMMC 2.0 Rule Impacts DoD Contractors

What Small Businesses Must Do to Stay Compliant

By Dan Clarke, President of Truyo, and Jeff Sizemore, Chief Governance Officer at Egnyte

Every year, the Department of Defense (DoD) relies on hundreds of thousands of entrepreneurial businesses to provide critical technologies and innovations that help support the men and women who are working to protect the US. Equally, DoD contracts are often the lifeblood for many of those private-sector businesses.

More recently, those companies––known as the defense industrial base (DIB)––have been the target of increasingly sophisticated cyberattacks. In an effort to safeguard against those attacks, the DoD initially introduced the NIST 800-171 standard to protect the confidentiality of controlled unclassified information (CUI). That program allowed defense contractors to self-attest, however after review, the department discovered a majority of contractors could not pass their audits.

To put an enforcement ring around compliance, the DoD introduced the Cybersecurity Maturity Model Certification (CMMC) program in 2020. That framework was updated in November 2021 and requires all contractors within the DIB that handle CUI to certify, if they want to continue working with the department. But, as with any government program, there’s some gray area and contractors must understand where they fit in.

The evolution of CMMC

The CMMC is part of the DoD’s effort to secure its supply chain and protect its DIB contractors from cybersecurity threats who have increasingly been the target of frequent and complex cyberattacks. The program was designed to provide assurance to the DoD that DIB contractors could adequately protect CUI, and the requirement includes any information that may flow down to subcontractors in a multi-tier supply chain.

When the interim CMMC 1.0 rule went into effect, it was met with mixed reviews. Some applauded it, while others felt it was far too stringent because of its assessment requirements for very small contractors that manage CUI––and that continues to be a major barrier.

Initially, all DIB contractors were required to undergo an audit by a third party, referred to as C3PAO (CMMC 3rd Party Assessor Organization). Now, under CMMC 2.0, only organizations that manage Federal Contract Information (FCI), that they’ve classified as Level 1, may self-attest. All other DIB contractors that handle CUI––Level 2 and 3––must pass an audit by a C3PAO. Self-attestation is not an option for those businesses.

The problem with this requirement is that there simply aren’t enough auditors to meet the demand. Backlogs of audit requests have grown, and will continue to, as there is no assessor ecosystem in place today to accommodate requests. The DoD and the CMMC Accreditation Board (AB) are working to correct the backlog, however.

What CMMC 2.0 means for small businesses

While the number of security tiers to be achieved was reduced from five to three tiers in the transition from CMMC 1.0 to CMMC 2.0, it also put a heightened priority and urgency on contractors and subcontractors to become certified to continue their work with the DoD. Though contractors who process CUI will require C3PAO certification, at least 140,000 additional subcontractors who process only FCI have the ability to perform self-assessments.

The ability to self-assess, however, can be a double-edged sword as it places the onus on those companies to confirm that they are audit-ready and compliant. For smaller companies that typically don’t have security or privacy experts on their teams, self-assessment will represent a significant undertaking, and most don’t know where to start.

How small businesses can prepare

The first step is to determine the scope of the business’s CMMC auditable environment. It is imperative to understand where FCI and CUI data is processed within the contractor’s environment, then to build a security strategy around it.

For the Level 1 contractor, controls that are required to be compliant consist of 17 practices that fall under six domains:

• Access Control
• Identification and Authentication
• Media Protection
• Physical Protection
• System and Communications Protection
• System and Information Integrity

These are collectively known as basic safeguarding requirements for FCI, as defined in the Federal Acquisition Requirements (FAR) clause 52.204-21. Which controls you decide to implement first is also a critical decision as it will help to set your course for compliance.

Many businesses that are seeking CMMC L1 certification will begin with who has access to what data, how they access it, and what they are authorized to do with that data. This would take you through Access Controls and Identification & Authentication first, as an example.

With those criteria, create a timeline and map to compliance. Again, this will require an understanding of where FCI and CUI data lives within your organization. Take into account structured and unstructured data, who has access to that data, how it is used and how it circulates through the business, as well as any vendors or partners that you interact with. You will also need to establish a confidential and protected environment for authorized users to collaborate and access FCI and CUI. The audit evidence or collected artifacts that demonstrate compliance to the requirements also need to be contained within the protected environment.

Having a clear picture of where all of your data lives and who has access to it, will enable you to identify where you need to implement security safeguards. The level-of-effort for this activity is typically a very time-consuming and manual process for many organizations, especially if they don’t know where to look and don’t have processes, vendor products or in-house scripted automation processes to assist in the data discovery process. The good news is that there are now cost-effective automation tools available to smaller businesses––it’s just a matter of finding one that will support the data discovery process and walk you through the process of becoming audit-ready.

Whether performed manually or supplemented by the use of an automation tool, the time to start preparing is now. Though the official enforcement date for CMMC 2.0 has been somewhat of a moving target, it’s tentatively set for 2025, and you need to get ahead of the curve. This is mission-critical since DoD is prioritizing a speedier rollout.

About the Authors

Dan Clarke is the President of Truyo, an automated consent and data privacy rights management platform. He has more than 30 years’ experience in technology and business leadership, and is an experienced data privacy advisor with deep expertise in the privacy landscape. Dan can be reached at truyo.com.

Jeff Sizemore is the Chief Governance Officer at Egnyte, a cloud content security and governance platform, where he is responsible for the strategy and execution of Egnyte’s Secure and Govern solution. Jeff has an extensive background in data protection, specifically in encryption, key management, data loss prevention, and identity and access management. Jeff can be reached at egnyte.com.