The Cybersecurity Maturity Model Certification (CMMC) is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices, processes and capabilities are in place to ensure an adequate level of cyber hygiene is achieved by the Defense Supply Chain (DSC), as well as the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The New DFARS Contract Clauses introduced in the September 30, 2020 DFARS Interim rule add further clarity for contractors. Namely DFARS 252.204-7019 ensures contractors understand DoD Assessment requirements. DFARS 252.204-7020 requires contractors to provides the Defense Contracts Management Agency (DCMA) with access to its facilities, systems, and personnel when higher-level reviews are required. DFARS 252.204.7021 introduces the CMMC standard for use as a new verification vehicle. These clauses are to be included in all solicitations and contracts after November 30, 2020, including those for commercial items, unless solely deemed “Commercial Off the Shelf” (COTS) products.
Federal Government Security Requirements
Previous attempts by the DoD using the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) to secure its information proved to not be sufficient over time. The DoD is requiring all Defense Supply Chain companies, except COTS providers, to comply by adding to its previous contract clauses FAR 52.204-25 & DFARS 252.204.7012. New enhanced DFARS rules are being implemented throughout the end of the year to first ensure NIST SP 800-171 companies have completed their self-assessment and reporting requirements using SPRS, and secondly allow third party auditing of the basic implementation along with the introduction of CMMC with third party assessments on certain contracts.
The Certification Process
United Office Technologies Group adheres to the following process to get Organizations Seeking Compliance (OSC) on their Journey. First, our goal is to perform a Practice/Control gap assessment against the Standard (CMMC L1 – 5, NIST SP 800-171, etc…) Next, we create a NIST 800-18 Conforming System Security Plan (SSP) and Plan of Action & Milestone (POAM). We then consult with the organization to remediate and fill all gaps found in the POAM to ensure a score of 110 on NIST SP 800-171 assessments, and also remediate any gaps for full conformance with CMMC. We observe conformance over a 3 to 6 month period to ensure habitual, and persistent behavior. Then we work with the OSC to identify artifacts that prove objective evidence of conformance. Lastly, we will introduce you to a C3PAO for your CMMC Assessment.
By 2025, every company within the Defense Supply Chain and the Defense Industrial Base will need to become certified with CMMC through a Certified Third-Party Assessment Organization (C3PAO).
"*" indicates required fields