How has CMMC compliance evolved from FAR 52.204-21?

As of now, it’s the second year of the US DoD’s five-year deployment of the CMMC. CMMC pilot projects are underway and Licensed Teaching Partners (LTP) are slated to commence training Certified Auditors, who will subsequently undertake CMMC evaluations for Organizations Seeking Compliance, later in 2021. (OSC). By the end of 2026, all new DoD agreements will be required to be CMMC compliant. Thus, one must hire DFARS consultant Virginia Beach if they wish to become compliant.

Anyone who is a US military or government vendor supplying to a DoD contractor would be required to meet with CMMC on agreements. The Department of Defense is transitioning from NIST 800-171 to the CMMC paradigm.

NIST 800-171 addresses the security of “Controlled Unclassified Material” (CUI), which is described as data developed by the regime or organization acting on its behalf that is declassified but requires protection.

NIST 800-171 is a set of rules outlining the methods and measures businesses must use to protect this data. NIST 800-171 specifies how CUI should be retrieved, communicated, and kept safely.

Knowing the requirements of CMMC version 1.0 will help you prepare for future CMMC inspections. If you work for a main contractor or a subcontractor in the DoD supply chain, there are measures you should do right away to secure your contracts.

Understanding CMMC compliance in detail

FAR 52.204-21

The government mandated on May 16, 2016, that contractors defend their IT infrastructure with the required 15 basic cybersecurity criteria, as defined in FAR clause 52.204-21 Basic Safeguarding of Covered Contractor Information Systems.

DFARS 252.204-7012

In October 2016, the DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting clause was issued, directing conformity with NIST SP 800-171. All federal supply chain contractors and suppliers must be competent with NIST SP 800-171, which permits self-attestation.

By introducing 110 unique security criteria, the DFARS cybersecurity 252.204-7012 clause signaled a significant move for the DoD. Most crucially, contractors were obliged to demonstrate security holes and compliance.

What are DFARS 7012 requirements?

The DFARS 252.204-7012 section stipulates contractors to: 

  • Protect CUI by adopting NIST SP 800-171 cybersecurity standards.
  • Record how criteria are met in System Security Plans (SSP).
  • Establish a Plan of Action with Milestones (POA&M) for unimplemented needs.
  • Obtain contracting officer clearance for any variations or “alternative but similarly, effective controls” used to achieve the standards, as specified in DFARS 252.204-7012(b)(2)(ii) (B).
  • Report cyber events (including lost or stolen equipment) to the Department of Defense Cyber Crime Center (DC3).
  • Isolate and transmit harmful software to the DC3 for analysis.
  • Make damage evaluations easier.
  • If CUI is communicated, extend the condition to subcontractors.

What are the Phases of CMMC?

DFARS 252.204-2012 is the foundation of CMMC

CMMC is a single cybersecurity standard designed to improve the overall security of government supply chain enterprises. The Department of Defense is transitioning from NIST 800-171 to the CMMC paradigm. CMMC is being steadily implemented and will probably supersede NIST 800-171 compliance. All new DoD agreements will need CMMC by 2026.

Since the publication of DFARS 252.204-7012 and NIST SP 800-171, DoD issued three proposed laws establishing a 5-year systematic roll-out of CMMC in November 2020.

The “crawl,” “walk,” and “run” stages of CMMC have been defined as DFARS 252.204-7019, DFARS 252.204-7020, and DFARS 252.204-7021.

The most recent DFARS requirements allow the DoD to confirm that vendors who have verified for cybersecurity certification are genuinely in compliance.…

Read More