CMMC Readiness: Considerations for preparation, assessment, and continued compliance

By: Laura Fawcett, CISM, CGEIT | Managing GRC Consultant

December 16, 2024

Introduction

Good Cybersecurity is critical for all organizations, but for Federal contractors, especially those working with the Department of Defense (DoD), there are some specific cybersecurity requirements that must be understood and implemented to win and maintain contacts. Most contractors know these requirements are in their contracts and they’ve been hearing about the Cybersecurity Maturity Model Certification (CMMC) for years now but may not understand what is really involved and how it could impact their future DoD contracts.

What is Required Today

There are currently multiple Cybersecurity related clauses in Federal and DoD contracts.

  • FAR 52.204-21: The Government expects and requires contractors to protect their systems that handled federal contract information with 15 “basic” cybersecurity requirements – This “Basic Safeguarding of Covered Contractor Information Systems” clause is added to all Federal contracts [1].
  • DFARS 252.204-7012: The DoD mandates that contractors protect systems that handle “Covered Defense Information” (also known as controlled unclassified information – CUI) by following the requirements outlined in NIST 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” along with additional requirements for cloud systems and reporting cyber incidents [2]. Contractors have been expected to comply with NIST 800-171 since December 31, 2017. There is currently a proposed rule that would require compliance with 800-171 for ALL federal contracts. [3]
  • DFARS 252.204-7019/7020: To understand how well contractors are complying with the requirements of the DFARS 7012 clause, the DoD added these clauses to contracts to define assessment critieria and establish requirements for contractors to self-report their compliance status and/or submit to a DoD assessment. [4][5]

DFARS 7019 & 7020 were part of DoD’s interim rule that also included CMMC 1.0 (DFARS 252.204-7021). CMMC 1.0 included 5 levels and requirements above and beyond NIST 800-171. Because of the complexity and added requirements, it received significant push-back from industry. As a results DoD put the roll-out of CMMC on hold and later released CMMC 2.0.

Download the Complete 2024 CMMC Readiness Guide