Did you know that contracts with the Department of Defense (DoD), NASA, and GSA will soon include the “Basic Safeguarding of Covered Contractor Information Systems” (Part 52.204-21) clause? This clause, in effect since June 2016, requires government contractors, at a minimum, to enhance their cybersecurity posture by implementing and following the 15 requirements outlined in NIST Special Publication 800-171 to protect their IT infrastructure and practices. By accepting a contract with Part 52.204-21 included, contractors attest that they can safeguard their business operations and the government information they process, transmit, and store. Failure to comply can result in contract termination and penalties.
The Department of Defense established a three-tiered certification system known as the Cybersecurity Maturity Model Certification (CMMC) to ensure compliance with NIST SP 800-171.
- Level 1 applies to contractors that only process, transmit, and store Federal Contract Information (FCI). This level corresponds with FAR 52.204-21, slightly expanded into 17 requirements.
- Level 2 applies to contractors that process, transmit, and store Controlled Unclassified Information (CUI). This level corresponds with the full 110 controls of NIST SP 800-171.
- Level 3 applies to contractors that process, transmit, and store sensitive CUI and corresponds with the controls of NIST SP 800-172.
This article will focus on contracts involving the FAR 52.204-21 clause (Level 1) for contractors handling Federal Contract Information (FCI), defined by FAR Part 4.1901.
Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government but not including information provided by the Government to the public (such as that on public Web sites) or simple transactional information, such as that necessary to process payments.
What are some examples of FCI?
- Delivery dates
- Contract performance reports
What is NOT FCI?
- Monthly invoices from the contractor to the government
- Receipts of payment of the invoices from the government to the contractor
- Contractor employee time and attendance tracking
Does your organization only process, store, and transmit FCI? If so, you need to plan and implement the 17 practices of CMMC Level 1. But what exactly are these practices? The CMMC 2.0 Model (below) outlines necessary practices and assessments for each level, grouped into six “Domains” at Level 1 self-certification.
CMMC Model 2.0
In brief, the 6 domains of the Level 1 Foundation are defined as:
Access Control (AC): Access Control activities ensure access granted to organizational systems, and information is commensurate with defined access requirements. Access requirements are developed based on the organization’s needs, balanced with the security requirements needed to protect the organization’s assets.
Identification and Authentication (IA): Identification and Authentication domain activities ensure identities who have access to CUI are established, managed, and authenticated in accordance with CUI protection requirements.
Media Protection (MP): Media Protection activities ensure media used to store or transport CUI is identified and protected in accordance with defined requirements.
Physical Protection (PE): Physical Protection activities ensure that physical access to CUI asset containers is strictly controlled, managed, and monitored in accordance with CUI protection requirements.
System and Communications Protection (SC): System and Communications Protection activities ensure the organization actively identifies, manages, and controls all system and communication channels that store or transmit CUI.
System and Information Integrity (SI): System and Info Integrity activities ensure that technology assets (e.g., desktops, software) that contain CUI are continuously monitored to detect violations of the authorized security state. Additionally, electronic mail (e-mail), a common attack vector, is monitored and protected to detect malicious activity.
Each of the 6 domains contains several practices, and each practice can have a number of objectives. In total, there are 6 domains, 17 practices, and 59 objectives in CMMC Level 1. A weighted value is given to each of the 17 practices. All the objectives for a given practice must be marked as “Met” or “Not Applicable” for that practice to be scored. Practice scores are 1 point, 3 points, and 5 points. While this scoring method generates a contractor’s Supplier Performance Risk System (SPRS) score based on NIST SP 800-171, it has not been officially validated for any CMMC Levels. Once the scoring method is confirmed and implemented in CMMC, contractors wanting to comply with CMMC Level 1 will need to achieve a minimum score of 63 to be considered acceptable.
Once you have a score, how do you submit it? The Procurement Integrated Enterprise Environment (PIEE) is the online platform contractors use to submit their SPRS scores. However, the platform has not yet been approved and updated to include CMMC Level score reporting. Once CMMC final rule is published, PIEE will be updated to accommodate CMMC Levels and scores.
If your company has not implemented all 17 practices for CMMC Level 1, you can create a Plan of Action and Milestones (POAM) to address any deficiencies. This document outlines practices not fully met and dates for full implementation. Please note that practices with 1 or 3 points may be deficient in your POAM, but all practices with 5 points must be implemented.
If you’re a contractor looking to review the domains, practices, and objectives of CMMC Level 1, you can find everything you need on the DoD CIO website: https://dodcio.defense.gov/CMMC/Documentation. Start by reviewing the CMMC Model Overview document, which includes the practice naming convention, a matrix of all the practices and their levels, and a crosswalk of all CMMC practices with comparable controls in other frameworks. Next, check out the CMMC Level 1 Scoping Guidance, which explains FCI Assets, Specialized Assets, and Out-of-Scope Assets for Level 1. Finally, use the CMMC Level 1 Self-Assessment Guide to walk through all 59 assessment objectives and get examples and discussion for each.
Need help getting your head around implementing CMMC for your company, Masser Technologies can help! Masser Technologies has in-house CMMC Professionals (CCPs) certified by The Cyber AB, the organization set up by the DoD that oversees the accreditation of the training and testing required for CMMC professionals, assessors, and the other certified individuals and organizations in this new CMMC ecosystem. Let us help you become CMMC-ready!
CMMC Levels: https://cyberab.org/What-is-CMMC
Department of Defense Chief Information Officer CMMC Information: https://dodcio.defense.gov/CMMC/Documentation/