As cyber attacks become more calculated, complex, and high-stakes, many government agencies in the United States and around the world are closely examining who they do business with. Contracting with the wrong business could lead to major consequences, and in the U.S. Defense Industrial Base, a cyber attack could cost lives.
The U.S. Department of Defense released CMMC, a rigorous set of cyber standards for entities contracting with the DoD, in January of 2020. Then, in November 2021, they doubled back and released a more streamlined version of the certification. The change and unclear implementation timeline sparked confusion in many federal and defense spaces. Here, we’ve outlined some common questions, and a short action item list as you set off on your journey to meet CMMC 2.0 compliance.
CMMC is a set of cyber security standards set forth by the United States Department of Defense to prevent increasingly often and nefarious cyber attacks on businesses within the defense industrial base (DIB). Introduced in 2020, CMMC encapsulated five categories of compliance, each more rigorous than the next, with which companies would have to identify and comply.
The goal is for the DOD to set a benchmark for cybersecurity practices, to be sure they can trust their contractors’ security infrastructure wouldn’t be vulnerable to attacks. The DOD also wants to remain in lockstep with the cyber security standards laid out in DFARS, and The National Institute of Standards in Technology’s Cybersecurity Framework, particularly sections NIST 800-171 and NIST 800-172. While the NIST framework is voluntary, CMMC 2.0 is not voluntary for many businesses in the DIB. CMMC even lays out specific requirements from NIST that should be met in order to be CMMC 2.0 compliant.
Organizations contracting with the United States Department of Defense (DoD) and/or handling Federal Contact Information (FCI) and Controlled Unclassified Information (CUI) will be required to meet CMMC standards.
CMMC 2.0 is an amended version of the original CMMC standards originally issued in 2020, taking into account critiques and pleas from organizations about cost, effort, and complexity. Here’s a quick rundown:
The timeline for the rollout of CMMC 2.0 has been foggy, to say the least. Without giving a definitive timeline, the OUSD states that the requirements must be solidified in the rulemaking process. The Department estimates this process will take from 9 to 24 months - and many experts have predicted that CMMC 2.0 will begin showing up in contracts in 2025.
DIB contractors will need to be strategic and realistic about timing. The OUSD outlines the path to compliance as such:
First, companies must implement security practices that meet the requirements of the CMMC level they identify with. Then, the DOD will perform an assessment of an entity’s security infrastructure to verify compliance. Finally, compliance will be solidified with paper and pen as the DOD will transition to only contracting with entities that meet CMMC 2.0 compliance.
Likely, less financial stress. One of the primary reasons for paring down the CMMC 2.0 rules was to ease the burdens of cost and time on the DIB, particularly small businesses. With less detailed requirements to fulfill and the allowance of self or third-party assessments, companies can seek out resources within their budget to meet these requirements.
According to the Office of the Under Secretary of Defense (OUSD), the DoD plans to release a comprehensive cost analysis for each level of compliance with CMMC 2.0.
Level one is a nice starting point, but the key to determining the appropriate level for your organization is to examine how often your organization handles CUI, what for, and for what purpose. For frequent handlers of CUI, you’ll likely want to shoot for at least level 2.
Your organization should investigate vulnerabilities by performing a self-assessment prior to beginning your CMMC compliance journey. You’ll need to take a deep dive into how your organization stores and shares CUI, and examine the adequacy of your current protections.
256-bit encryption is lauded as a standard method of protecting data where it’s stored and when it’s in motion, and can be considered military-grade. CMMC level 3 requires that encryption be used for data at rest and in motion, data like: CUI, FCI, passwords, and more. But encryption is a method of data protection that’s become increasingly easy to implement, which will solidify compliance in all other CMMC levels without a particularly heavy lift. In particular, encryption services must be certified by FIPS 140-2.
For more information on how you should comply with CMMC 2.0, the OUSD has many resources and explainers at your disposal, including model overviews and consistent updates on the CMMC 2.0 timeline.
Virtru’s foundational data protection standard, the Trusted Data Format (TDF), was founded in the midst of the DIB, in the National Security Agency (NSA). By securing data transmitted through email, file sharing, gateways, and SaaS applications, Virtru empowers DIB organizations to apply end-to-end protections and Zero Trust controls to the nation’s most sensitive data no matter where it lives or travels.
By wrapping data with encryption at the object level, Virtru allows you to have complete, autonomous control over every piece of sensitive data. Granular access controls can be audited and monitored in the Virtru control center, where data owners have complete oversight of who has accessed any given piece of data, with the ability to revoke and grant access at any time. You can also have complete control over the encryption keys protecting your data with our customer-hosted encryption key server, further supporting CMMC compliance.
To help organizations better understand CMMC 2.0, Virtru assembled experts in the Defense Industrial Base and cybersecurity industry to discuss what you can expect from these new requirements, and how they can prepare. You can register for free here.
To learn more about how Virtru can help your organization meet CMMC 2.0 encryption requirements, contact our team today.
Contact us to learn more about our partnership opportunities.