DFARS & CMMC Compliance
DFARS is written into your defense contracts. CMMC compliance assessments are coming. You need to be prepared for both.
The Department of Defense has implemented new cybersecurity regulations for contractors and sub-contractors, some of which are already in place. Have you taken the steps to comply? Are you sure you could pass a DoD audit? Do you need help understanding the guidelines?
As of 2020, the U.S. Government has passed new forms of compliance designed to protect the DoD by holding contractors and sub-contractors accountable for their cybersecurity practices. One of these rules, the DFARS NIST 800-171 Interim Rule, is likely already included in your contracts. It is a temporary measure put in place to give contractors enough time to prepare for CMMC compliance audits, which we expect to be required by 2025.
Your business may qualify for a grant that covers some or all of the costs associated with the current requirement for a self-assessment!
CMMC compliance is complicated and will take many years to fully build out. Assessors need to be trained and certified, then over 300,000 businesses need to be assessed and certified to be eligible for contracts. CMMC has multiple levels, and different contractors will be held to different levels depending on the nature of the data they have access to.
The Five Levels of CMMC Compliance
All contractors will be required to meet Level 1 of CMMC compliance. Level 1 focuses on the protection of Federal Contract Information (FCI) and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21.
Level 2 is considered a “transitional” level as it mainly focuses on documentation and policy requirements. It goes a step beyond the basic safeguards required by Level 1 and is designed to prepare contractors for further CMMC compliance requirements.
Level 3 is the lowest level of CMMC compliance required for contractors who have access to Controlled Unclassified Information (CUI). Any contractor with a DFARS clause in their contract will need to at least meet Level 3 requirements, as specific clauses require certain safeguards.
Level 4 of CMMC compliance focuses on measuring an organization’s incident detection and response capabilities. Level 4 focuses on the protection of CUI and includes additional enhanced security requirements from Draft NIST SP 800-171B.
Level 5 is the highest level of CMMC compliance an organization can achieve. Organizations at this level have implemented cybersecurity practices that are incredibly sophisticated and optimized to protect CUI.