ew US Department of Defense, or DOD, cybersecurity standards go into effect in October, which will affect contractors seeking to work on projects with several government agencies, including the US Army Corps of Engineers–Alaska District.
Cybersecurity Maturity Model Certification, or CMMC, is a framework designed to protect sensitive unclassified information that is processed, stored, or transmitted by defense contractors and subcontractors.
When the standards go into effect, contractors and subcontractors will need, at a minimum, Level 1 certification to be eligible for USACE and other DOD projects.
“Overall, the effort to secure government information is to make sure it’s not accidentally released during a cyber attack,” says Ryan Zachry, Small Business Professional for USACE–Alaska District.
CMMC standards have existed since 2021, but the federal government announced the certification mandate last year. The full implementation timeline spans three years. Beginning October 1, Level 1 certification is required for the security of Federal Contract Information, or FCI, whether or not the prospective project includes Controlled Unclassified Information, or CUI.
By October 2026, companies must complete both Level 1 and 2 certifications, which cover both FCI and CUI. And for those who need Level 3 certification to work on highly classified weapons systems or critical CUI, the deadline for completion is October 2027.
Certification is mandatory for all DOD contracts greater than the $10,000 micro-purchase threshold for awards, orders, calls, agreements, and Government Purchase Card transactions. There is an exception to Commercial off-the-shelf purchases. Likewise, contractors and subcontractors already working on DOD and USACE projects are grandfathered; however, they will need certification before they are awarded future projects.
Level 2 and Level 3 certifications pertain to companies dealing with increasingly higher levels of controlled information and, therefore, are more complex. In addition to self-certification, contractors must meet additional criteria outlined on the SPRS website, followed by a verification by a certified third-party assessment organization authorized to conduct CMMC evaluations. Because Level 3 is the advanced level of cyber hygiene, additional steps are required prior to verification by the certified third-party assessment organization and the Defense Industrial Base Cybersecurity Assessment Center. Zachry says the cost for Level 2 and Level 3 certification is significantly more, due to the need for third-party verification and any additional internal changes in a company’s IT systems to meet compliance requirements. Once implemented, Level 2 and Level 3 certifications require a third-party assessment every three years. In addition, a yearly self-assessment is mandated to ensure the in-place protections are working and being followed.
Ivan Cholakov | iStock
“The path to certification varies depending on what level of compliance you need,” says Fisher. “For R&M, this means meeting the 110 requirements of NIST Special Publication 800-171 R2. This includes physical and logical protection and policies to ensure CUI is protected at all times within our network and in the physical space where it resides.”
Going into the process, Fisher says R&M had very little understanding of what CMMC requirements were, including what they were trying to safeguard and why. In the process of working toward compliance, they’ve learned that the CMMC requirements, while not trivial, are not overly onerous, and most of the requirements are really just good modern cybersecurity standards. There are pieces that are specific to CUI and FCI and to information storage. For example, companies can’t use commercial cloud storage. Instead, they have to use special DOD-approved cloud storage services to store data in the cloud.
“CUI has been a nebulous idea from the start,” says Fisher. “By definition, it is information that is not classified but still needs to be protected and not shared with the world. Some of this information by itself isn’t CUI; sometimes it becomes CUI when combined with other information. We now have a much better idea of how to identify CUI, most of which will come from the DOD and will be marked in specific ways.”
While much of the work in becoming CMMC certified falls under the responsibilities of R&M’s IT group, Fisher says it is a company-wide initiative. Any department that will create or encounter CUI needs to be involved and trained in procedures to protect CUI. R&M’s IT group is currently working with all departments, including engineering, construction services, geomatics, earth sciences, planning, and business services, to ensure they understand what the users need to work efficiently in this new environment and all departments and employees understand the scope and requirements of CMMC.
Fisher advises companies to get started with the certification process, even if they are already well-aligned with the standards. He says there are a lot of boxes to check, a lot of policies to create, and a fair bit of training for users. Though CMMC may seem daunting at first, it ultimately strengthens a firm’s cybersecurity posture. More importantly, it ensures that it can continue supporting DOD projects while protecting sensitive information critical to national security.
“The biggest hurdle here is time,” says Fisher. “Take a deep breath, and if you don’t have the internal staff to work through this, contract an external firm with experience in NIST requirements to help guide you through this. It is all very doable and comes down to attention to detail.”
Zachry says contractors and subcontractors can find more information on the SPRS website, www.sprs.csd.disa.mil, or they can contact him with questions.