What Does the Proposed Rule for CMMC 2.0 Mean for DoD Suppliers?

By Gene Jones, Senior Program Manager, Cybersecurity and Defense

The Department of Defense (DoD) requires a secure and resilient supply chain to ensure the development, production, and sustainment of capabilities that are critical to national security. Both the DoD supply chain and integral USA infrastructure are targeted by adversaries with increasing frequency and sophistication - and to devastating effect. Did you see/read the recent FBI Director testimony on January 31st? It is sobering! Therefore, implementation of cybersecurity standards as required by Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-7012 & 7020 (and others) and enforcement mechanisms (CMMC 2.0) are critically important.

Cybersecurity Maturity Model Certification (CMMC) 2.0:  Since 2013, DoD contracting in various DFARS clauses has required compliance with NIST 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) to receive sensitive unclassified information. Additionally, FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) lists information security controls that contractors must enact to protect government contracting information that the federal government has not made public.

However, the vast majority of DoD and federal contractors have not complied with these requirements. As a result, DoD is in the process of releasing a verification method, CMMC 2.0, to enforce compliance. The proposed rule for CMMC 2.0 was released for public comment on December 26, 2023. It requires:

• CMMC Level 1 Self-Assessment requires compliance with basic safeguarding requirements to protect Federal Contract Information (FCI) are set forth in FAR clause 52.204-21. CMMC Level 1 does not add any additional security requirements to those identified in FAR 52.204-21.
• CMMC Level 2 Self-Assessment requires compliance with the security requirements set forth in NIST SP 800-171 Rev 2 to protect CUI. CMMC Level 2 does not add any additional security requirements to those identified in NIST SP 800-171 Rev 2.
  • Prior to the award of any Prime contract or subcontract, CMMC Level 1 and 2 Self-Assessments must be uploaded to the Supplier Performance Risk System (SPRS) and the company must attest to the validity of the score annually.
• CMMC Level 2 Certification requires compliance with the security requirements set forth in 32 CFR § 170.17 (DFARS will be updated) to protect CUI. CMMC Level 2 does not add any additional security requirements to those identified in NIST SP 800-171 Rev 2.
  • A CMMC Level 2 Certification Assessment of the applicable contractor information system(s) provided by an authorized or accredited Certified Third-Party Assessment Organization (C3PAO) is required to validate implementation of the NIST SP 800-171 Rev 2 security requirements prior to award of any prime contract or subcontract and exercise of option.
  • The C3PAO uploads the score to eMASS, a government portal that feeds the SPRS.
  • The assessed company affirms its compliance and submits any POA&Ms to the SPRS.
• CMMC Level 3 applies enhanced security requirements that can only be assessed by DoD for protecting Controlled Unclassified Information and it is beyond the scope of this article. Reference NIST 800-172 for more information.

Fully complying with CMMC Level 2 will be time-consuming and expensive for small to medium manufacturers/contractors. Therefore, it is crucial for a company to understand the type of information that they receive from DoD.  Is it FCI or CUI?  If you need help, Purdue MEP is ready to assist. Contact us at mepsupport@purdue.edu to learn more.

Writer: Gene Jones, 765-496-7802, jonesew@purdue.edu