Everything You’ve Ever Wanted to Know About Cybersecurity Compliance In the US

Vendors that want to work with the Department of Defense and other government bodies are facing (what feels like) an uphill battle against increasingly complex compliance requirements. DFARS, NIST SP 800-171, and now CMMC create a layered system of regulations that can be difficult to understand and even harder to implement, especially for smaller companies with limited budgets and limited cybersecurity expertise. 

If you want to become compliant (and, more importantly, start winning contracts), it’s important to understand where they come from and why they exist. 

The History of Cybersecurity Regulations In a Nutshell 

It all started with an increase in cyber threats targeting the Defense Industrial Base (DIB) in the early 2010s. A large-scale cyber espionage campaign called Operation Shady RAT targeted more than seventy U.S. defense contractors and government agencies, stealing vast amounts of data. Cybercriminal groups (including state-sponsored criminal groups) realized that the DIB was a lucrative target and began targeting commercial firms, not-for-profit research centers, government-owned industrial facilities, and vendors in earnest. 

Suffice it to say that Congress took the threat seriously. Disruptions to the DoD supply chain caused by cyberattacks can delay or prevent critical equipment and technology from reaching the military. There were also (justifiable) fears about the threat to national security. The DoD supply chain handles a vast amount of sensitive information, including classified data, intellectual property related to weapon systems, and personal information of military personnel, as well as non-classified information related to trade secrets, proprietary technology, and critical infrastructure systems such as power grids and transportation networks (known as Controlled Information Unclassified Information (CUI)). 

This led to the creation of DFARS 252.204-7012 (also known as DFARS 7012). This clause was implemented in 2012 and mandated compliance with the National Institute of Standards and Technology (NIST) Special Publication 800-171 (NIST SP 800-171) for Department of Defense (DoD) contractors handling Controlled Unclassified Information (CUI).

What Is DFARS 7012?

While it may seem like ancient history, the DFARS 7012 clause was the first to introduce a requirement for DoD contractors to implement the security controls outlined in NIST SP 800-171 to safeguard CUI. DFARS 7012 established NIST SP 800-171 as the baseline standard aimed to strengthen the cybersecurity of DoD contractors through controls, including implementing access control, establishing incident response protocols, and proactive system monitoring. 

However, the clause wasn’t entirely successful in reaching its goals. The basis of DFARS 7012 is self-attestation or self-declaration. See the flaw in the system? Contractors simply declared they were complying with NIST SP 800-171, but there was no independent verification. This lack of oversight meant that some contractors may not have implemented the controls effectively, creating vulnerabilities in the supply chain. 

Scope was another issue. DFARS 7012 only applied to contractors handling CUI. This left a gap in cybersecurity requirements for those dealing with unclassified information but still critical to DoD operations.

The limitations became very evident, very quickly, which led to the birth of the development of the Cybersecurity Maturity Model Certification (CMMC) program. The goal of CMMC is to address the issue of self-attestation head-on through a tiered certification system with independent verification.

CMMC builds upon the foundation established by NIST SP 800-171. The security controls within NIST 800-171 serve as the core set of practices required to achieve a strong cybersecurity posture, although it doesn’t necessarily require adherence to all 110 controls (more on that later!).

The Road to CMMC

By December 2017, it became evident that many manufacturers weren't fully compliant with DFARS 7012, which prompted the DoD to look for a more reliable solution. There were two important responses issued to address shortcomings with the self-assessment mode: the DFARS Interim Rule (Case 2019-D041)  and the development of the CMMC program. 

The DFAS interim rule served as a temporary measure to bridge the gap between DFARS 7012 and the implementation of CMMC. This rule aimed to improve transparency and accountability by requiring manufacturers to submit their cybersecurity implementation status (score) into the SPRS by November 2019. 

The score submitted to SPRS could come from two sources:

  • DICAC Audit: Manufacturers who underwent a formal audit by the Defense Industrial Base Cybersecurity Assessment Center (DICAC) received a score from the DoD itself.
  • Basic Self-Assessment: For most manufacturers, a self-assessment was the primary option. This assessment could be conducted internally or by a third-party organization. 

While self-assessments provided some insight, they still lacked the rigor of independent audits. This remained a key limitation of the system.

Recognizing the limitations of DFARS 7012 and the reliance on self-assessment, the DoD began developing the Cybersecurity Maturity Model Certification (CMMC) program.

What Is the CMMC?

CMMC is the official program replacing the reliance on self-assessment under DFARS 7012. It introduces a tiered certification system with independent audits, providing a more reliable assessment of cybersecurity maturity.

CNNC essentially replaces the reliance on self-assessment under the now-phased-out DFARS 7012 rule. Like DFARS 7012, the goal is to mitigate cyber risks within the DoD supply chain by requiring defense contractors to achieve a specific level of cybersecurity maturity and ensure that Controlled Unclassified Information (CUI) shared with contractors is protected from unauthorized access, disclosure, or misuse.

CMMC goes beyond just having policies and procedures in place. It emphasizes the actual implementation and demonstrably effective use of cybersecurity controls outlined in NIST SP 800-171.

Independent audits provide a clearer picture of a contractor's cybersecurity posture, fostering trust and collaboration, while the tiered system ensures that all contractors meet a minimum cybersecurity standard, creating a level playing field for competition.

CMMC 1.0 vs CMMC 2.0

Introduced in 2020, CMMC 1.0 established a five-level certification system (Levels 1-5) to assess a contractor's cybersecurity maturity. Each level had specific requirements based on the NIST SP 800-171 security controls. Higher levels demanded more stringent practices.

CMMC 1.0 primarily focused on protecting Controlled Unclassified Information (CUI) at rest.

CMMC 1.0 was updated with CMMC 2.0 in 2021. CMMC 2.0 streamlined the program by reducing the certification levels from five to three (Levels 1-3). The update aims to be more user-friendly for contractors and reduce complexity and cost while still achieving the core objective of enhancing cybersecurity within the DoD supply chain through a focus on protecting CUI in all its forms.

It eliminated specific "delta" practices unique to CMMC 1.0 and focused on core NIST SP 800-171 controls. This aimed for greater clarity and alignment with the standard.

CMMC 2.0 broadened the focus to encompass CUI in transit and at rest, providing more comprehensive protection.

 Manufacturers who receive CUI must comply with Level 2, which is all of NIST 800-171 controls. Those who do not receive CUI must comply with Level 1, which is only 17 of the NIST 800-171 controls.

This will create a new DFARS rule that will supersede DFARS 7012 once it becomes law.

The official rollout for mandatory CMMC implementation is still being determined, with a likely time frame of late 2024 or early 2025, which means that contractors have to ensure that they comply with requirements as soon as possible if they want to continue their work with the DoD.

Meeting Compliance Requirements 

Both CMMC and DFARS 7012 take their lead from the NIST SP 800-171, which outlines the 110 specific security controls contractors need to implement to safeguard Controlled Unclassified Information (CUI). The 110 controls are categorized into 14 families, each addressing a specific aspect of cybersecurity. 

Even the earliest versions of the framework required documenting and measuring the way the supplier addresses the 110 controls using a roadmap called a System Security Plan (SSP). The SSP details specific policies, procedures, and technologies firms use to achieve compliance for each control.

Most firms quickly realized that they fell short of some of the recommended/required controls, which led to the widespread adoption of a gap analysis tool known as the Plan of Actions Milestones (POAM). POAM identifies the areas where current cybersecurity practices fall short of the controls outlined in the SSP (and NIST SP 800-171) and serves as an action plan, detailing the specific steps businesses need to take to achieve compliance for missing controls (e.g., acquiring new technology, implementing new policies, or conducting employee training).

The POAM establishes clear milestones with target dates and assigns responsible parties for each action item.

It's important to remember that not all 110 controls may be equally applicable to your specific organization. CMMC compliance may also have additional requirements beyond the 110 controls in NIST SP 800-171, depending on the specific CMMC level your organization needs to achieve.

A risk assessment or gap analysis should be conducted to determine which controls are most relevant to your business and the CUI you handle.

Where We Come In

While it’s an important step towards a more secure digital future, the Cybersecurity Maturity Model Certification (CMMC) program presents a significant challenge for smaller defense contractors. While crucial for national security, the requirements can be overwhelming for companies with limited IT budgets and few, if any, dedicated cybersecurity professionals.

CMMC compliance necessitates implementing a robust set of cybersecurity controls outlined in NIST SP 800-171. Smaller businesses often lack the resources to handle this internally. They may have limited IT staff and tight budgets, making it difficult to invest in necessary technology and expertise.

Here’s where we come in! 

Site2 acts as a Registered Practitioner Organization (RPO) on the Cyber Security Accreditation Board (Cyber-ab.org) marketplace. This platform connects manufacturers with qualified service providers like Site2.

We offer a range of services to assist small businesses in achieving CMMC compliance:

  • Guidance and Support: We can help manufacturers understand the CMMC requirements, identify their specific needs, and develop a roadmap for achieving compliance.
  • Gap Analysis: Our team can assess a company's current cybersecurity posture and identify areas where they fall short of CMMC requirements.
  • Implementation Assistance: We can help implement the necessary security controls, including policies, procedures, and technologies.
  • Training and Awareness: We can provide training for employees on cybersecurity best practices to ensure everyone is aware of their role in protecting sensitive information.

While we’re not a Certified 3rd Party Auditor (C3PAO) authorized to issue certifications, we can help manufacturers prepare for and successfully pass CMMC audits conducted by independent C3PAOs.

By leveraging Site2's support, smaller defense contractors can achieve compliance, mitigate cyber risks, and remain competitive in the DoD supply chain. In fact, that is exactly what we’ve been doing since we started. 

Get in touch with one of our compliance experts today to find out how we can help your business.