Despite taking steps to improve cybersecurity within the supply chains of the U.S. Department of Defense (DoD), recent cyberattacks have highlighted the need for additional action. To maintain status as DoD contractors, companies within the Defense Industrial Base (DIB) must adhere to baseline cybersecurity controls which are changing in the near future.

These controls were established in 2016 by the Federal Acquisition Regulation (FAR) 52.204-21. Subsequently, in 2018, the Defense Federal Acquisition Regulation Supplement (DFARS), clause 252.204-7012, came into effect. This supplementary update emphasized the protection of more sensitive information and was considered a significant advancement in DoD supply chain cybersecurity at that time.

However, as cyber breaches have increased in frequency, it has become evident that these measures weren’t sufficient. Adversaries are becoming more advanced and persistent, so DIB companies must elevate cyber defenses to counter the threat.

With these issues in mind, the DoD looked for a way to mitigate cybersecurity risks within the DIB. The result is the Cybersecurity Maturity Model Certification (CMMC). The CMMC differs from previous policy in both the technical safeguards and the way these are overseen. Instead of a one-size-fits-all checklist, the CMMC aims to align progressively more stringent controls with the types of data in use and the types of threats posed. Current DoD estimates suggest fall 2024 for these new requirements to start appearing in new contracts.

CMMC’s three levels — foundational, advanced and expert — establish a progression of requirements to each level, incrementally adding to those of the preceding levels. For example, reaching expert level 3 would require a company to meet requirements for foundational level 1 and advanced level 2, plus those imposed under level 3.

Federal Contract Information (FCI) is provided by or generated for the government in contracts whenever there is a need for a product or service. This information is not intended for public release.

  • Level 1: Foundational. The CMMC requires DIB companies that process, store or transmit FCI to meet level 1 requirements. The DoD Chief Information Security Officer (CISO) estimates that around 65% of all DIB companies (approximately 140,000) will only have to meet level 1 requirements.
  • Level 2: Advanced. Controlled Unclassified Information (CUI) is created or possessed by the government or by an entity on behalf of the government (from 32 CFR 2002.4). Since CUI is considered more sensitive than FCI, the CMMC requirement begins at level 2. The DoD CIO estimates that 80,000 DIB organizations will have to meet level 2 requirements.
  • Level 3: Expert. A small subset of DIB companies that have CUI but are determined by the DoD to have an elevated risk from Advanced Persistent Threats (APTs) must meet level 3 requirements. These more stringent requirements are currently being developed by the DoD.

The Move to CMMC 2.0

CMMC Version 1.0 was released in January 2020, but as outlined in a Government Accountability Office (GAO) review, many saw it as too costly and inflexible to implement for small to medium businesses.

In November 2021, DoD released CMMC 2.0, which included significant modifications to the initial CMMC framework. CMMC 2.0 eliminates several CMMC-unique practice requirements and aligns with NIST SP 800-171 Rev. 2.

With CMMC 1.0, all DIB companies would have needed to demonstrate compliance with the CMMC cybersecurity practices to a third-party assessor. In the move to 2.0, this requirement has been replaced with an annual self-assessment and affirmation for companies at Level 1. DIB companies requiring Level 2 assessments must use a third party assessment.  Only Certified CMMC Assessors (CCAs) working for CMMC third-party organizations (C3PAOs) will be able to perform these Level 2 assessments.  Level 3 assessments must be performed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Only after a CCA confirms that a DIB company has met the CMMC requirements, will a CMMC certificate be granted. Certificates are granted to the DIB company by the Cyber Accreditation Body (Cyber AB). In the future, this certificate will have to be attained before the DIB company can work on any DoD contract.

How CMMC 2.0 Handles CUI With OT/ICS

In CMMC 1.0, the scoping guidance issued by the DoD followed a construct best tailored for IT only systems. It required that any system where CUI could be stored, processed or transmitted have all CMMC cyber controls applied to it. To minimize the cost and impact of trying to apply all of these controls, we advised DIB companies to minimize the number of systems that could fall into that category. This proved to be difficult because workflows are deeply engrained and streamlined to be the most efficient for that company. This is especially true for companies with IT and OT convergence.

With CMMC 2.0, new OT/ICS scoping guidance means that we no longer need to focus on the interaction between these systems and CUI. The new guidance outlines a “specialized assets” category that includes IoT, OT and ICS systems. For these specialized assets, only one CMMC cyber control needs to be met.

Control 3.12.4 of NIST SP 800-171 requires nonfederal organizations to develop, document and periodically update a System Security Plan (SSP). On a high level, this means that a full and accurate inventory list is essential to form a network diagram. It also allows OT/ICS cyber professionals to employ a more risk-based approach for security and compliance. This flexibility means that these professionals can select and implement cyber countermeasures tailored for the system and threat environment. The assessor will then see to it that the DIB company’s plan for specialized assets is actually implemented in practice.

Help Is Available

Owners and operators of critical infrastructure and manufacturing need security capabilities that reach beyond information technology. You need solutions that consider both IT and operational technology. Ideally, this would would be a company that can establish comprehensive OT cybersecurity programs from setup to integration — and one that mitigates risks, protects your investments, and anticipates next-generation needs and responses. It is important to work with a firm that can leverage deep industry knowledge to deliver solutions, training and support specific to your unique challenges.

1898 & Co. is equipped to help DIB companies navigate the CMMC 2.0 process. Our CMMC gap analysis offering serves as a foundation that details your company's current cybersecurity posture and provides you a tailored roadmap to increased security and CMMC compliance. We also offer services to help close those gaps, prepare you for your CMMC assessment and even serve as a liaison during the assessment. To maintain good standing as a DoD contractor, getting the right guidance regarding the CMMC process is crucial. Preparing now could help ease navigating the transition later.

A proactive, balanced approach to cyber resilience is needed for optimal risk management.

Explore Our Services

Lorenzo Williams is a cybersecurity senior consultant at 1898 & Co., a part of Burns & McDonnell. He has worked 10 years primarily in the federal and defense sectors ensuring cybersecurity compliance with numerous regulatory standards.