The Department of Defense (DoD) routinely relies on private sector companies to provide needed goods and services, but that reliance comes with serious cybersecurity risks to the military if a contractor or subcontractor’s information systems are compromised. Companies entrusted with Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) present a tempting target for malicious actors, which has prompted the DoD to take measures aimed at compelling those companies to implement security protocols necessary to protect sensitive information processed, stored, or transmitted on their systems.
As efforts to mitigate the risk via contract clause proved insufficient, the DoD began developing the Cybersecurity Maturity Model Certification (CMMC) program in 2019 to create a mechanism to verify that contractors and subcontractors have implemented the required security requirements. As the final shape of the program is now coming into focus, renewed concerns about the regulatory burden for businesses are being voiced but the impact is clear—the government is serious about holding defense contractors and subcontractors (large and small) responsible for their cybersecurity readiness.
On December 26, 2023, the DoD published the Proposed Final Rule for CMMC 2.0, opening the 60-day comment period that closed February 26, 2024. While rulemaking is not yet complete, the proposed rule indicates that its requirements will be mandatory for all DoD procurement valued at or above the micro-purchase threshold. Companies that do not act now to frankly assess their current cybersecurity readiness for compliance run the risk of being unprepared for full implementation of CMMC 2.0, putting their contracts and their ability to work for the DoD on the line.
The CMMC program requires that companies entrusted with national security information put cybersecurity measures in place at increasingly strict levels, depending on the nature and sensitivity of the information handled. It also allows the DoD to verify that the correct cybersecurity measures have been implemented. The proposed final rule reaffirms that companies handling CUI will be required to comply with cybersecurity standards in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
The CMMC is divided into three levels of security maturity, and the level an organization is required to meet varies depending on the type of sensitive information they handle. Compliance can be affirmed through self-assessment at some levels, while others will require third-party or DoD assessment. Contractors and subcontractors will also be required to have a senior official from their organization annually affirm continuing compliance with the applicable security standards for each level.
Ultimately, meeting applicable CMMC requirements will be a precondition for being awarded a federal contract, although the final rule has not yet gone into effect. Under the phased plan laid out in the proposed final rule, self-assessments and certification assessments would be gradually introduced starting on the effective date of the Defense Federal Acquisition Regulation Supplement (DFARS) rule. The DoD intends to include CMMC requirements for all three levels in all DoD solicitations on or after October 1, 2026, under this phased plan. Companies should be developing their CMMC compliance program now to ensure they are not caught out.
How seriously do contractors need to take these rules? The required annual affirmations are a red flag that misrepresentations could result in serious government action against contractors who fail to truly verify that they are meeting required standards. Consequences could include contract termination, negative past performance ratings, suspension or disbarment, or False Claims Act damages or fines. If you have any doubts about your company’s readiness to meet and maintain CMMC compliance, Right Click can help.
As an IT and cybersecurity firm with over 25 years of experience, Right Click is your ideal partner for achieving CMMC compliance and protecting the future of your defense contracting business. We assess your current state of cybersecurity readiness, devise an individualized plan to remediate gaps and implement proper data protection strategies, and work with you to ensure ongoing accurate compliance. To learn more about what the proposed final rule means for your company, contact Right Click to schedule your consultation today.