Include:
Tech
Cybersecurity
Business Strategy
Channel Insights
Stay Connected
Acer America
Acer America Corp. is a computer manufacturer of business and consumer PCs, notebooks, ultrabooks, projectors, servers, and storage products.

Location

333 West San Carlos Street
San Jose, California 95110
United States

WWW: acer.com

ChannelPro Network Awards

hello 2
hello 3

News & Articles

March 31, 2021 |

CMMC Explained—and What It Means for MSPs

The new cybersecurity framework will be phased in through 2025, but MSPs can help defense contractors get new contracts now by bringing them into compliance with the DFARS interim rule.

The Cybersecurity Maturity Model Certification (CMMC) is the new cybersecurity framework for defense contractors that is being rolled out over five years. In the meantime, the Department of Defense (DoD) announced an interim rule requiring defense contractors to self-assess their implementation of the National Institute of Standards and Technology (NIST) Special Publication 800-171 cybersecurity controls and be subject to DoD audits.

Both CMMC and the interim rule provide huge opportunities for MSPs because financial penalties for noncompliance can be hefty. Many of the 300,000 defense contractors rely on their contracts to stay alive. Even those with a lower reliance on defense contracts don’t want to lose the profits. Failure to comply can result in cancelled contracts, being banned from future contracts, civil claims under the federal False Claims Act, and potential criminal penalties for fraud.

DFARS NIST 800-171 Interim Rule

The Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirements are referenced in over 87% of defense contracts. Since 2017, the DFARS 252.204-7012 clause has required defense contractors to implement the 110 cybersecurity controls defined in NIST 800-171 to protect Controlled Unclassified Information (CUI).

Surveys and audits showed that most defense contractors had not complied with the DFARS requirement, however, so the DoD created CMMC, which requires them to pass an independent cybersecurity assessment to qualify for defense contracts. CMMC necessitates that an entire new ecosystem be developed from the ground up—building out the training materials and trainers, training and certifying assessors and consultants, and then assessing and certifying over 300,000 defense contractors—and will not be mandated in all defense contracts until FY 2026, which begins in October 2025.

Because of the long rollout, the DoD announced an interim rule in September 2020 that requires contractors to score their implementation of NIST SP 800-171 and post their score in the federal Supplier Performance Risk System (SPRS) database to get new defense contracts and renewals until CMMC takes effect. The interim rule became effective at the end of November 2020.

Scoring is based on a weighted scoring system where points for missing controls are deducted from the perfect score of 110 (the number of controls in NIST 800-171). Each control has been assigned a weighted deduction score of 1, 3, or 5 points. The score submitted to the federal database is good for three years, but ongoing compliance is required because the contractor must be prepared for a DoD or prime contractor audit at any time.

Negative scores are possible. For example, a new client asked for our help implementing the 34 controls they were missing. During our initial meetings they told us they had posted a score of 76 into SPRS by simply subtracting one point for each of their missing controls. After we began working with them, we accurately deducted the weighted scores for their missing controls and determined that their score was really –4.

As with other regulations, documentation is needed to validate compliance. This includes written policies, procedures, and evidence that the procedures are being consistently implemented. A written System Security Plan (SSP) is required along with written Plans of Action & Milestones (POA&M) for controls not fully implemented.

The interim rule has three audit levels: basic, medium, and high. Basic is the self-assessment done by the contractor. Medium is a “desk audit” requiring the contractor to send the DoD requested evidence of compliance. In-person or virtual “high” audits by DoD staff auditors require demonstrations that compliant processes are fully implemented.

Besides formal DoD audits, it is common for large prime contractors to send questionnaires or audit their subcontractors’ compliance with their cybersecurity contract requirements.

CMMC

CMMC is intended to ensure that security controls have been implemented and are routinely followed by defense contractors. Organizations Seeking Certification (OSC) must pass a CMMC Accreditation Body (CMMC-AB) independent assessment conducted by a Certified Third-Party Assessor Organization (C3PAO) to qualify for contracts that require CMMC.

CMMC protects both CUI and Federal Contract Information (FCI) provided by or for the government related to a product or service and is not intended for public release.

CMMC is broken down into five levels that build on each other. Contractors will be required to be certified at the required level when a contract is awarded. It is estimated that over 50% of all DoD contracts will only require CMMC Level 1 because many contractors do not store CUI. Contractors storing or processing CUI will be required to comply at Level 3 or above.

  • Level 1 – Basic Cyber Hygiene: Includes 17 of the NIST SP 800-171 cybersecurity controls and is intended to safeguard FCI. It requires basic cybersecurity controls but does not require them to be documented.
  • Level 2 – Intermediate Cyber Hygiene: Is considered a transitional step toward the protection of CUI. It includes the Level 1 requirements plus 55 more, for a total of 72. Documentation is required.
  • Level 3 – Good Cyber Hygiene: The lowest certification level required to protect CUI, it includes all 110 practices in NIST SP 800-171 plus 20 additional practices.
  • Level 4 – Proactive (156 practices) and Level 5 – Advanced/Progressive (171 practices): Include additional practices designed to protect against advanced persistent threats (APTs). It is expected that a very small percentage of contracts will include requirements at these levels.

Related News & Articles

Growing the MSP

Editor’s Choice


Explore ChannelPro

Events

Reach Our Audience