The first regulation will require all businesses working on U.S. Department of Defense (DoD) projects — either directly or as subcontractors — to comply with the Cybersecurity Maturity Model Certification (CMMC) program. The CMMC program serves as a verification mechanism for demonstrating adequate security of the people, processes, and technologies with access to federal contract information.
The program was officially established last December, and certification requirements are expected to begin appearing in DoD contracts later this year. CMMC includes 3 certification levels ranging from a basic set of 15 requirements to an advanced collection of 134 requirements. At Level 1, organizations may self-assess, while Levels 2 and 3 require organizations to undergo third-party audits. All levels also specify requirements for security incident reporting, provisions for leveraged cloud services, and flow-down requirements for subcontractors.
During the solicitation process, DoD contracts will specify which level a supplier must attain to be eligible, and contractors must have achieved certification at the time of award. While the phased rollout of CMMC implies several years before reaching “full implementation,” businesses should begin considering compliance to account for the extensive preparation process, avoid missing out on lucrative opportunities, and promote U.S. national security interests.
The FAR CUI Rule
The second regulation is broader, applying to all federal contractors — not just those serving the DoD. Health information and student records are among the categories of CUI which will impact Dayton-area businesses outside the DoD ecosystem.
An initial draft of the regulation referred to as the “FAR CUI Rule” was publicly released this January.
The rule is similar to the CMMC program in many ways but includes some notable differences. Unlike the CMMC program, the proposed FAR CUI Rule does not include a phased rollout. Once the FAR CUI Rule goes into effect, the switch is flipped and federal contractors must be compliant.
It also does not require third-party certification audits—though this has been proposed as a potential modification and contractors may still be required to submit evidence of compliance. Finally, the proposed rule also includes requirements for federal contractors which are not expected to have access to CUI. They will still be subject to incident reporting requirements in the event they do encounter CUI.
How Businesses Can Prepare
Businesses working on federal contracts must prepare for these changes to avoid disruptions in their business relationships. Implementing the required controls to achieve full compliance can take 12-18 months, so the earlier, the better.
First, business leaders should assess their existing customer relationships to determine whether these regulations will impact them directly, as well as whether any of their customers will be subject to the requirements in a manner which could result in impacts from contractual flow-downs.
For organizations which will be affected, business leaders should begin familiarizing themselves with the applicable requirements, such as those in Federal Acquisition Regulation (FAR) 52.204-21 and NIST Special Publication 800-171 (Revision 2). They should then coordinate with their management teams to develop a strategic plan for achieving compliance.
As a practical first step in the implementation process, businesses should perform a gap analysis to assess their current compliance posture. Doing so is integral for defining a path to compliance and building a viable project plan. Business leaders should also consider working with external service providers familiar with the requirements. Organizations such as Cyber AB Registered Practitioner Organizations (RPOs) and Certified Third-Party Assessor Organizations (C3PAOs) can provide insights and guidance to assist businesses as they build their security and compliance programs.
By keeping an eye on the horizon and preparing for what’s to come in terms of cybersecurity regulation, Dayton-area businesses working with the federal government can ensure ongoing success and help maintain the Gem City’s reputation as a leader in innovation.
David Sutherin is the founder of Dayton-based Triumvirate Cybersecurity Consulting, committed to advocating for IT security, governance, regulatory compliance.