Navigating CMMC Compliance: Preparing for New Cybersecurity Requirements

Written By Jeff Stutzman

Huntington Ingalls' recently published communication to their subs regarding mandatory CMMC flow-down requirements to subcontractors, reflects the upcoming changes in cybersecurity regulations for defense contractors.  

Here's a summary of the key points and their implications: 

The Cybersecurity Maturity Model Certification (CMMC) program is nearing its final stages of implementation. The proposed rule has been published and is expected to become law soon. Prime contractors like Huntington Ingalls are proactively informing subcontractors about the mandatory flow-down requirements. The CMMC program will apply to DoD contracts above the micro-purchase threshold where contractors handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). 

Flow-Down Requirements  

  • Prime contractors must ensure their subcontractors have current CMMC certificates or self-assessments at the appropriate level. 

  • The CMMC level required for subcontractors will match the sensitivity of the information they handle. 

Significant discussion about CMMC has been on social media, but official government communication has been lacking. The core requirement is compliance with NIST 800-171, which has been in place since 2012. The main change is the introduction of third-party audits for certain CMMC levels. 

All DoD contractors and their supply chains working with federal contract information (FCI) must meet 17 CMMC controls to achieve CMMC Level 1 self-attestation.  These are foundational “cyber hygiene” requirements outlined in 48 CFR 52.204-21 and further defined in NIST SP 800-171 Revision 2.   

Executive Order 13556 requires safeguarding and labeling Controlled Unclassified Information (CUI), which includes defined classes of information produced by the government and by DoD contractors.  CUI needs more stringent protection.  Contractors handling CUI (and their supply chain) must meet 110 controls and enter their score into the Supplier Performance Risk System (SPRS) to meet CMMC Level 2. 

The DoD plans a phased rollout of CMMC 2.0 over approximately two and a half years: 

  • Phase 1: Self-assessments for Levels 1 and 2 

  • Phase 2: Level 2 certification requirements added 

  • Phase 3: Level 2 certification extended to existing contracts; Level 3 certification required for applicable contracts 

 

Here’s how Trusted Internet is pitching in to help solve the problem of small businesses being unable to complete the requirements: 

Trusted Internet is hosting no-cost workshops in person in New Hampshire and online for others. These workshops assist companies in conducting baseline assessments and are roughly half-day working sessions.  

  • You’ll leave with a baseline assessment, a good set of policy starters, and a prioritized list of work that must be completed to comply.  

  • You’ll be invited to our weekly CMMC Support Group for the next four weeks to assist with any questions.  

  • Once completed, you’ll be invited to our ongoing online CMMC Support Group. 

Over the past two weeks, we've had an impressive turnout of companies eager to strengthen their cybersecurity posture, with more workshops on the horizon. If you're a small business seeking guidance on CMMC compliance, don’t miss this opportunity!

Contact Trusted Internet at staysafeonline@trustedinternet.io to secure your invitation to our next workshop. Plus, once completed, you'll gain access to our exclusive online CMMC Support Group, where you can continue receiving expert advice and network with peers.

Jeff Stutzman
Previous

The Cybersecurity Maturity Model Certification (CMMC) Final Rule: What It Means for You
Next

Ransomware Attacks: Trends and Targets in the Cybersecurity Landscape