Why Department of Defense contractors need to be CMMC compliant

About the author

From security architecture to data management, Cory Retherford brings 20 years of technical experience to his position as Principal Advisory Solutions Engineer at Spirion providing real world solution implementation strategies within large and complex environments. With a focus in data security, privacy, and operational data security risk reduction, Cory believes in protecting sensitive data because privacy matters to us all.

The U.S. Department of Defense (DoD) is constantly under attack from cyber adversaries. Every single day, the DoD battles 36 million email threats, and that number doesn’t include the other types of attacks coming from nation-state adversaries, cybercriminals, and various threat actors. The DoD’s thousands of contractors are responsible for implementing and monitoring their own information technology systems and any sensitive DoD information stored on those systems. If a contractor suffers a cyber incident, this impacts other areas of DoD, and any of it can put national security at risk. Coordinating cybersecurity standards across the entire defense industrial base became a priority.

The Cybersecurity Maturity Model Certification (CMMC), released on January 31, 2020 as a unified standard for implementing cybersecurity across the defense industrial base, is the DoD’s response to the significant number of compromises of sensitive defense information. Today, all DoD contractors are required to have the CMMC certification to be eligible for DoD contract awards.

The CMMC framework guides companies with the appropriate levels of cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks. According to CMMC, “CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” It covers a wide range of categories, from financial data to the critical infrastructure to immigration. For those contractors already following NIST SP 800-171 cybersecurity standards, CMMC is an additional requirement.

The 5 levels of CMMC

The CMMC consists of five certification levels to best implement cybersecurity practices for each contract.

  • CMMC Level 1. Processes: Basic best cyber hygiene practices, sensitive data management.
  • CMMC Level 2. Protect Controlled Unclassified Information (CUI)
  • CMMC Level 3. Practices to safeguard CUI, including all the NIST 800-171
  • CMMC Level 4. Practices using advanced persistent threats (APT) techniques and procedures
  • CMMC Level 5. In place sophisticated capabilities to detect and respond to APTs

The DoD will provide details for the certification level needed during the contract proposal stage. Certification is required for every company involved in any DoD work, including subcontractors, and each certification is good for three years.

When it comes time to prove that CMMC controls are in place, contractors must be able to audit their systems, generate comprehensive reports, and review audit reports in detail. Meeting these requirements will necessitate a robust and accurate vended data discovery toolset.

Why contractors need to be CMMC compliant

The good news is that CMMC is a phased rollout, requiring the lower certification levels first and easing in the higher levels by fiscal year 2025. This gives contractors and agencies time to bring their security infrastructure up to the standards required to protect CUI.

Providing high levels of cybersecurity to sensitive information is an uphill battle. Before the concept of CUI was introduced in 2008, security systems depended on an alphabet soup of acronyms to protect sensitive information. Documents that contained classified defense information such as schematics, reports, and other technical data were marked with an array of acronyms that were indicative of its protected status, such as For Official Use Only (FOUO) and Sensitive But Unclassified (SBU).

CUI offers a more standard system for identifying sensitive information. Still, conducting regular CUI risk or breach damage assessments is time intensive, but they will be necessary if contractors want to continue working with the DoD. Defense contracts are lucrative for any organization that lands them. However, if that organization is regularly hit with cyberattacks or doesn’t have the infrastructure in place to prevent and mitigate incidents that impact CUI, they risk losing those lucrative contracts. CMMC compliance will help organizations retain contracts with the DoD.

The Right Tool for the CMMC

Maintaining compliance with CMMC requires using the right set of tools, ones that are able to locate CUI or export-controlled data, as well as other sensitive data like Personally Identifiable Information (PII). Automated tools reduce the overall time spent locating documents with common categories or markings that may be in scope of the CMMC.

While there is no one single tool that can do every data discovery task, Spirion offers a solution that:

  • identifies both PII and CUI across structured and unstructured data by searching text and images
  • accurately discovers common PII sensitive data types
  • creates custom sensitive data types to search for phrases, words, and acronyms that are indicative of CUI
  • enables regular CUI risk assessments with its automatic data discovery capabilities and dynamic dashboards
  • automatically and persistently classifies data and imbeds labels into documents and files

DoD contractors can prevent unauthorized/unintended transfers and publication of CUI with the help of a strong solution like Spirion and ensure that their department is CMMC compliant.