CMMC Compliance Requirements for DoD Contractors and Subcontractors in the Defense Industry

The defense industry now works mostly in the digital space. As such, protecting sensitive information has become a high priority for the Department of Defense (DoD). One way of doing that is by requiring any contractors who work with the DoD to adhere to a strict cybersecurity framework.

This framework, the Cybersecurity Maturity Model Certification (CMMC), is a comprehensive outline of requirements and best practices to secure projects created for the defense industrial base. Contractors and subcontractors working within the defense supply chain, therefore, must develop a strong understanding of the CMMC and adhere to its guidelines.

CMMC Compliance Requirements for DoD Contractors

Contractors who work with the DoD will, necessarily, store sensitive defense information on their computer systems. The CMMC builds upon the foundation laid out in NIST Special Publication 800-171 to introduce a tiered model of cybersecurity practices.

All organizations that work within the defense supply chain must implement and maintain the CMMC at the level appropriate for their work. The framework provides three levels:

• Level 1: Foundational - Focuses on basic cybersecurity practices to protect Federal Contract Information (FCI). This level covers basic safeguards, such as using antivirus software, choosing strong passwords, and controlling who has physical access to systems.

• Level 2: Advanced - This level focuses on keeping Controlled Unclassified Information (CUI) secure from unauthorized access. It covers everything in level 1 and additional requirements outlined in NIST SP 800-171.

• Level 3: Expert - For critical national security projects, level 3 further increases the requirements. It includes everything from the previous two levels, plus additional controls to deal with advanced persistent threats.

The level required of any particular DoD contractor is determined by the specific contract requirement and the sensitivity of the information they work with. You do not need to be CMMC certified to bid on a DoD contract, however, if the solicitation includes CMMC requirements, you must have the appropriate CMMC status in place to be eligible for award. In addition, even before CMMC requirements are fully in effect, many DoD contracts already require a NIST SP 800-171 self-assessment with results posted in SPRS under DFARS clause 252.204-7019. This applies to any contractor required to implement NIST SP 800-171, and it is a prerequisite for awarding those contracts​.

How CMMC Affects Subcontractors in the Defense Supply Chain

It isn’t just contractors who work directly with the DoD who need to comply with the CMMC. That would create a security gap whenever that contractor brought in a subcontractor. The prime contractor is responsible for ensuring that any subcontractors they work with meet the appropriate CMMC requirements for the project. This includes:

• Verifying subcontractor CMMC compliance before hiring them

• Including CMMC requirements in all agreements with subcontractors

• Monitoring subcontractor compliance throughout the project

For subcontractors, it’s important to note that this requirement trickles down. If they hire any subcontractors of their own, those organizations must also meet the same CMMC requirements. Meeting these requirements can come with significant expense, especially for smaller contractors. Anyone who accepts one of these contracts should have a cost management strategy in place.

Steps for Subcontractors to Achieve CMMC Compliance

Much like prime contractors, subcontractors working on DoD projects must follow a methodical approach to CMMC compliance. The steps below outline the essentials of working with the framework:

1. Determine required CMMC level - Review the terms of the contract and have discussions with the prime contractors to understand which CMMC level applies to the project.

2. Conduct a gap assessment - Perform a NIST SP 800-171 self-assessment to see where the gaps are between your current security practices and the CMMC requirements for your level.

3. Implement required controls - After assessing the gaps, address each of them in turn with the appropriate controls outlined in the framework.

4. Develop documentation - Create System Security Plan (SSP) and Plan of Action and Milestones (POA&M) documents to record security practices, identify any gaps, and outline plans for remediation. Ensure these documents are reviewed and updated regularly to reflect the current state of your security posture.

5. Prepare for assessment - If your certification level requires it, prepare for a CMMC Third-Party Assessment Organization to verify your compliance.

To effectively implement all of these steps, firms should coordinate their efforts across organizational departments. In particular, the IT, security, procurement, and management teams should all work together to ensure all requirements are met. Based on the complexity of your needs, it can be extremely beneficial to work with a CMMC Registered Practitioner Organization (RPO) that has the expertise with Microsoft GCC High, Azure Government, and the requirements set forth by CMMC including NIST, DFARS, etc.

What Happens If a Contractor Fails to Meet CMMC Requirements?

Whether you’re the prime contractor or a subcontractor, failure to meet the CMMC requirements can result in severe repercussions. Those companies who fail to meet the requirements for certification face:

Loss of contract opportunities - Contractors who don’t have appropriate CMMC certification are ineligible for new DoD contracts and may be unable to maintain their existing contracts.

Increased cybersecurity risk - Because of the security offered by CMMC, non-compliant companies are also more vulnerable to cyber-attacks which could threaten national security.

Legal and financial penalties - The penalties for failing to maintain the contracted CMMC level could face financial penalties and legal liability in addition to losing their contracts.

Reputational damage - Compliance failures can cause reputational harm to businesses that work across the defense industrial base.

CMMC Compliance for Small Businesses in the Defense Industry

Small businesses make up a lot of defense industrial base contractors. However, they often face disproportionate challenges when dealing with the CMMC. The limited resources and lower access to technical expertise available to small businesses can lead them to struggle with:

• Limited cybersecurity budgets

• Lack of dedicated security personnel

• Fewer technical resources

• Complex compliance requirements

Thankfully, the DoD and various organizations that work with them are aware of these difficulties and have created resources for small business owners who want to land CMMC jobs:

DoD Funding Programs - The Department of Defense has several funding opportunities designed to help small defense contractors improve their cybersecurity practices.

NSA cybersecurity services - The National Security Agency offers several no-cost services to aid with cybersecurity efforts.

CMMC Registered Provider Organizations (RPOs) - These organizations specialize in providing services, like AgileThrive, that help newcomers get started with CMMC certification.

Managed Security Providers (MSPs) - Specialized services, like AgileDefend, can do the heavy lifting for CMMC security controls, often more affordability than building in-house capabilities.

Security as a Service - Cloud-based security solutions, such as Microsoft GCC High, can provide the needed protections without large expenditures on in-house infrastructure.

Small businesses who wish to pursue CMMC contracts should consider taking advantage of these programs to set themselves up for success.

Conclusion

CMMC compliance is a significant hurdle, though it is a required one for anyone working with the DoD in a contractor or subcontractor capacity. By implementing the proper security controls, businesses will not only meet the requirements but will protect sensitive defense information in an increasingly insecure digital landscape.

If you need help with CMMC compliance, contact Agile IT for a comprehensive assessment. Whether you need help getting started or want someone to do all of heavy lifting, Agile IT can help. Our team of security experts specializes in helping defense contractors understand the complexities of CMMC compliance.