Paul Bergman

Category: DoD

  • Understanding the CMMC 2.0 Framework: What Defense Contractors Need to Know

    Understanding the CMMC 2.0 Framework: What Defense Contractors Need to Know

    CMMC 2.0 is extremely close to being required in all DoD contracts. If you have been putting this off (and I know you probably have) you really need to take this seriously now!

    The Cybersecurity Maturity Model Certification (CMMC) framework was developed to standardize cybersecurity practices for defense contractors, particularly those working with the Department of Defense (DoD). Now, with the release of CMMC 2.0—and its final rule going into effect—organizations must prepare for the changes and requirements that lie ahead.

    What is CMMC 2.0?

    The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is the latest version of the DoD’s cybersecurity program for defense contractors. Originally introduced as CMMC 1.0, the updated 2.0 framework streamlines and clarifies the requirements, making it easier for organizations to understand and achieve compliance. This evolution emphasizes reducing barriers while maintaining robust security standards.

    The CMMC 2.0 framework was finalized and released in its final rule through the Federal Register on October 15, 2024, setting critical requirements into motion for defense contractors handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

    Why Does CMMC Matter?

    The defense supply chain is a primary target for cyberattacks, and the DoD relies on contractors of all sizes to safeguard sensitive information. Without consistent and enforceable security requirements, vulnerabilities can compromise national security.

    CMMC ensures that organizations implement the appropriate cybersecurity controls based on the sensitivity of the data they handle. This framework establishes accountability, trust, and confidence across the defense industrial base (DIB).

    Key Differences Between CMMC 1.0 and CMMC 2.0

    CMMC 2.0 introduces critical improvements:

    1. Three Tiers Instead of Five
      CMMC 2.0 simplifies the maturity levels into three:
      • Level 1: Foundational (Basic safeguarding for FCI)
      • Level 2: Advanced (Aligns with NIST SP 800-171 requirements for CUI)
      • Level 3: Expert (Aligns with a subset of NIST SP 800-172 for advanced threat protection)
      The streamlined approach reduces redundancy and focuses efforts on essential security controls.
    2. Flexibility in Assessments
      • Level 1 assessments: Self-assessments are allowed.
      • Level 2 assessments: Divided into self-assessments for non-prioritized programs and third-party assessments for critical programs.
      • Level 3 assessments: Government-led audits for the highest level of security requirements.
      This tiered assessment model balances cost, effort, and security rigor based on risk levels.
    3. Reduced Costs and Compliance Burden
      By aligning CMMC 2.0 directly with existing NIST standards, organizations can leverage their existing cybersecurity investments rather than adopting a completely new framework.
    4. Focus on Accountability
      Organizations must submit affirmation of compliance annually, signed by a senior official. This ensures leadership accountability while minimizing administrative overhead.

    Final Rule Implementation Timeline

    The final rule, which solidifies CMMC 2.0 requirements, goes into effect as of December 16, 2024. Defense contractors must now take deliberate steps to meet these requirements to secure future DoD contracts. The timeline emphasizes the urgency for organizations to begin preparing immediately to avoid non-compliance risks.

    The DoD plans to phase CMMC requirements into contracts over the next few years, but proactive preparation is critical. Contractors who handle Controlled Unclassified Information (CUI) are particularly urged to prioritize Level 2 readiness.

    How to Prepare for CMMC 2.0

    1. Identify Your Level
      Determine which level of CMMC applies to your contracts:
      • Do you handle only FCI? Focus on Level 1.
      • Do you manage CUI? Start preparing for Level 2.
    2. Implement NIST Standards
      Since CMMC 2.0 aligns with NIST SP 800-171 (Level 2) and NIST SP 800-172 (Level 3), organizations should focus on implementing these controls effectively.
    3. Conduct Self-Assessments
      Begin with an internal self-assessment to identify gaps in your current cybersecurity practices. Utilize tools and resources, such as the NIST Cybersecurity Framework, to benchmark your progress.
    4. Engage with CMMC Third-Party Assessors (C3PAOs)
      If Level 2 third-party assessments are required for your contracts, work with accredited C3PAOs to prepare for and schedule assessments.
    5. Promote Leadership Accountability
      Engage executive leadership to oversee and affirm compliance annually. This ensures organization-wide alignment and prioritization.

    The Stakes Are High

    For contractors in the defense industrial base, compliance with CMMC 2.0 is not optional—it’s a requirement for securing DoD contracts. Failure to meet these standards can result in loss of contracts, reputational damage, and even legal ramifications.

    CMMC 2.0 is more than just a compliance checkbox; it’s about building resilient, secure systems to protect sensitive data and safeguard national security.

    Final Thoughts

    The final rule for CMMC 2.0 is now in effect, and the time to act is now. By simplifying maturity levels, aligning with NIST standards, and offering flexible assessment options, CMMC 2.0 balances practicality with rigorous cybersecurity demands.

    For defense contractors, preparation means safeguarding sensitive information, meeting compliance obligations, and securing opportunities for future contracts. Start today by identifying your required level, implementing the necessary controls, and prioritizing leadership accountability to ensure long-term compliance success.

    Stay Ahead of CMMC 2.0 Requirements
    For ongoing updates and insights, stay tuned to official DoD announcements and trusted cybersecurity resources. Proactive action today will ensure your organization’s security—and readiness—tomorrow.

  • What is NIST 800-171 scoring and why do I care?

    What is NIST 800-171 scoring and why do I care?

    Background

    If you have found this, you are looking for NIST 800-171 scoring. If you are, you must have a taste for alphabet soup so this background is for you…

    New DFARS (Defense Federal Acquisition Regulation Supplement) Interim Rules went into effect in December 2020, forcing defense contractors to adhere to new processes and requirements, and placing greater emphasis on compliance with cybersecurity regulations (namely NIST 800-171).

    Contractors who handle Controlled Unclassified Information (CUI) must now conduct self-assessments of NIST 800-171 compliance status in accordance with NIST 800-171A assessment guidance; score themselves on a subtractive, weighted formula as prescribed by the DoD Assessment Methodology scoring system; and report their scores and expected POAM completion dates to the government through the Supplier Performance Rating System (SPRS) in order to remain eligible to win new contract awards that involve handling CUI. In addition, the Defense Contract Management Agency‘s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is now able to mandate more detailed analysis of contractor compliance through Medium and High confidence assessments at the government’s discretion. For Medium and High assessments, DIBCAC personnel may perform detailed reviews of contractor SSPs, or conduct full NIST 800-171A evidence-based assessments of contractor compliance.

    The NIST 800-171 Self-Assessment

    How to score the assessment

    First of all, there are a number of checklists out there that can help you come up with a score for your assessment. Those are extremely helpful in calculating that score. In general the score is derived from the following:

    Your assessment score is calculated by adding the total score from each implemented requirement (controls). Each of the fully implemented 110 security requirements translates into one point, for 110 points total. But that’s not all.

    Any controls that are not implemented result in a subtraction of points from the overall score, and since some omissions have a larger impact on security of CUI, a weighting system is used.

    The subtraction of points for the non-implemented requirements is as follows:

    • For any high-level “Basic Security Requirements” with a significant impact on security, non-implementation results in a deduction of five points from the total score of 110.
    • For “Basic Security Requirements” and “Derived Security Requirements” with a more moderate impact on security, non-implementation results in a deduction of three points.
    • For all other “Derived Security Requirements” deemed to have a low impact on security, non-implementation results in a deduction of just one point.

    What do I do with the score?

    Doing the above assessment will result in a score between -203 and 110. Yes, you can get a valid negative score!

    Once you have found your score. You will need to report that to the DoD through the SPRS system. Details can be found here: Supplier Performance Risk System (disa.mil)

    DoD Assessment Methodology scoring system

    Clearly, a self-assessment score can vary based on who is filling it out. Some contracts are extreemly sensitive while others may be less sensitive. If you handle sensitive CUI, a self-assessment may not be enough guarantee that CUI is being protected. This is where your self-assessment may be challenged with requests for supporting evidence.

    3 Levels of confidence scores

    The NIST 800-171 DoD assessment is consists of three levels at which compliance is evaluated:

    • At the first level, contractors can conduct basic NIST 800-171 self-assessments of their systems to achieve self-generated “low” confidence scores
    • Assessments at the medium level result in “medium” confidence scores, following a designated DoD official’s evaluation of:
      • A contractor’s NIST 800-171 self-assessment score 
      • Documents provided by the contractor
    • Assessments at the highest level lead to “high” confidence scores, following a designated DoD official’s evaluation of:
      • A contractor’s NIST 800-171 self-assessment score
      • Documents provided by the contractor
      • The security plans provided by the contractor as evidence of NIST 800-171 compliance (This is often termed as “over the shoulder” which, to me, means audit)

    #DFARS #NIST800-171 #CUI #SPRS

  • MCRD San Diego Basic Marine Graduation

    MCRD San Diego Basic Marine Graduation

    I’ve always been interested in military tradition and ceremony. I’ve attended, even helped run, a couple commissioning ceremonies for U.S. Navy ships, which is really something special.

    I have wanted to attend a basic training graduation ceremony for a long time and last Friday I had the pleasure of attending one. The Marines did not disappoint. Each part of the ceremony was explained well by the staff and it was really informative. In the photo below the senior drill instructors inspect one of the six platoons as they march by.

    It was a ceremony where 501 young men and women became Marines. Likely the biggest moment of their lives so far and represented 13 weeks of serious training.

    Thank you to Brigadier General J.L. Morris, USMC, for the invitation.

    I acknowledge that there was no drill team performance and all the drill instructors seemed to be well. Thus no need for an ambitious PFC to take the lead and get the platoon through graduation. Although, I admit, it was hard not thinking about that movie while I was there.