The Cybersecurity Maturity Model Certification (CMMC) is the new cybersecurity framework for defense contractors that is being rolled out over five years. In the meantime, the Department of Defense (DoD) announced an interim rule requiring defense contractors to self-assess their implementation of the National Institute of Standards and Technology (NIST) Special Publication 800-171 cybersecurity controls and be subject to DoD audits.
Both CMMC and the interim rule provide huge opportunities for MSPs because financial penalties for noncompliance can be hefty. Many of the 300,000 defense contractors rely on their contracts to stay alive. Even those with a lower reliance on defense contracts don’t want to lose the profits. Failure to comply can result in cancelled contracts, being banned from future contracts, civil claims under the federal False Claims Act, and potential criminal penalties for fraud.
DFARS NIST 800-171 Interim Rule
The Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirements are referenced in over 87% of defense contracts. Since 2017, the DFARS 252.204-7012 clause has required defense contractors to implement the 110 cybersecurity controls defined in NIST 800-171 to protect Controlled Unclassified Information (CUI).
Surveys and audits showed that most defense contractors had not complied with the DFARS requirement, however, so the DoD created CMMC, which requires them to pass an independent cybersecurity assessment to qualify for defense contracts. CMMC necessitates that an entire new ecosystem be developed from the ground up—building out the training materials and trainers, training and certifying assessors and consultants, and then assessing and certifying over 300,000 defense contractors—and will not be mandated in all defense contracts until FY 2026, which begins in October 2025.
Because of the long rollout, the DoD announced an interim rule in September 2020 that requires contractors to score their implementation of NIST SP 800-171 and post their score in the federal Supplier Performance Risk System (SPRS) database to get new defense contracts and renewals until CMMC takes effect. The interim rule became effective at the end of November 2020.
Scoring is based on a weighted scoring system where points for missing controls are deducted from the perfect score of 110 (the number of controls in NIST 800-171). Each control has been assigned a weighted deduction score of 1, 3, or 5 points. The score submitted to the federal database is good for three years, but ongoing compliance is required because the contractor must be prepared for a DoD or prime contractor audit at any time.
Negative scores are possible. For example, a new client asked for our help implementing the 34 controls they were missing. During our initial meetings they told us they had posted a score of 76 into SPRS by simply subtracting one point for each of their missing controls. After we began working with them, we accurately deducted the weighted scores for their missing controls and determined that their score was really –4.
As with other regulations, documentation is needed to validate compliance. This includes written policies, procedures, and evidence that the procedures are being consistently implemented. A written System Security Plan (SSP) is required along with written Plans of Action & Milestones (POA&M) for controls not fully implemented.
The interim rule has three audit levels: basic, medium, and high. Basic is the self-assessment done by the contractor. Medium is a “desk audit” requiring the contractor to send the DoD requested evidence of compliance. In-person or virtual “high” audits by DoD staff auditors require demonstrations that compliant processes are fully implemented.
Besides formal DoD audits, it is common for large prime contractors to send questionnaires or audit their subcontractors’ compliance with their cybersecurity contract requirements.
CMMC
CMMC is intended to ensure that security controls have been implemented and are routinely followed by defense contractors. Organizations Seeking Certification (OSC) must pass a CMMC Accreditation Body (CMMC-AB) independent assessment conducted by a Certified Third-Party Assessor Organization (C3PAO) to qualify for contracts that require CMMC.
CMMC protects both CUI and Federal Contract Information (FCI) provided by or for the government related to a product or service and is not intended for public release.
CMMC is broken down into five levels that build on each other. Contractors will be required to be certified at the required level when a contract is awarded. It is estimated that over 50% of all DoD contracts will only require CMMC Level 1 because many contractors do not store CUI. Contractors storing or processing CUI will be required to comply at Level 3 or above.
- Level 1 – Basic Cyber Hygiene: Includes 17 of the NIST SP 800-171 cybersecurity controls and is intended to safeguard FCI. It requires basic cybersecurity controls but does not require them to be documented.
- Level 2 – Intermediate Cyber Hygiene: Is considered a transitional step toward the protection of CUI. It includes the Level 1 requirements plus 55 more, for a total of 72. Documentation is required.
- Level 3 – Good Cyber Hygiene: The lowest certification level required to protect CUI, it includes all 110 practices in NIST SP 800-171 plus 20 additional practices.
- Level 4 – Proactive (156 practices) and Level 5 – Advanced/Progressive (171 practices): Include additional practices designed to protect against advanced persistent threats (APTs). It is expected that a very small percentage of contracts will include requirements at these levels.
Immediate and Long-Term Opportunities for MSPs Who Speak with Authority
MSPs can help defense contractors implement the cybersecurity processes and tools required by the NIST 800-171 interim rule in order to get new defense contracts and renewals. Remediation projects will close compliance gaps, and managed services will help businesses consistently implement the cybersecurity requirements. Solutions like RapidFire Tools Compliance Manager can produce auditable documentation to substantiate DFARS self-assessment scores and create evidence of ongoing NIST 800-171 compliance to help the business be ready at any time for a DoD or prime contractor audit.
The good news is, by helping businesses comply with the interim rule today, you are also helping them prepare for CMMC, so there won’t be any wasted effort. Even contractors that do not have CUI will need help securing their systems so they can comply at Level 1.
Because CMMC is tied directly to revenues and profits, business owners and executives are willing to invest in compliance. You shouldn’t face the same resistance you might see in healthcare and other regulated industries.
Your key to success, however, will be the ability to speak the language and sound like an authority, which you can do in hours, not the years it takes to become an expert. In this article alone there are 15 acronyms that you need to be familiar with so you can speak with authority. To shortcut your success and get your entire company on board quickly, check out CMMC for Profit, which is available in our Semel Systems library of education and shortcuts for MSPs. We have included hours of training videos, templates and checklists, an interim rule scoring tool, policies, and other things you can use to quickly be seen as an authority and immediately begin offering your services to defense contractors.
Our country needs a strong defense. This is how you can help secure our Defense Industrial Base (DIB, another acronym!) and make a profit at the same time.
MIKE SEMEL is a former MSP and founder of Semel Consulting, which provides advisory services to MSPs and end users for compliance, cybersecurity, and business continuity planning. He worked with CompTIA to develop its Security Trustmark Plus, and with RapidFire Tools to create Compliance Manager GRC.