Government contractors are the target of increasingly frequent and complex cyberattacks. To protect American ingenuity and national security information, the Department of Defense (DoD) developed a new cybersecurity certification program. The DoD Cybersecurity Maturity Model Certification (CMMC) 2.0 Program enhances cyber protection standards for Government contractors working with the DoD.
What is the CMMC 2.0 Program?
The CMMC 2.0 Program is designed to protect sensitive unclassified information that is shared by the DoD with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the DoD increased assurance that contractors and subcontractors are meeting these requirements. This new umbrella standard includes requirements from NIST SP 800-171, the Federal Acquisition Requirements (FAR) document 52.204-21, and beyond.
Vernadero’s approach to cybersecurity and CMMC 2.0 Level 2 Compliance
Vernadero is a leader in the Government contracting engineering and environmental space by achieving early CMMC 2.0 Level 2 compliance by leveraging Microsoft Office 365 Government Community Cloud (GCC) High built atop an Azure Government Tenant. The Microsoft infrastructure also utilizes Cisco’s DUO Federal Workstation Multi-Factor Authentication. This means that we offer enhanced information security and virtual collaboration opportunities to our DoD customers and partners operating in the Government’s secure cloud environment.
We have also modified several internal and project workflows to incorporate performance and security improvements made available with the new GCC High cloud workspace. This includes enhanced online collaboration with DoD agencies and other GCC High tenants via Azure Active Directory B2B (business to business) collaborations. Our GCC High implementation also forces subcontractors working with Vernadero-controlled FCI and/or CUI to conform our cybersecurity controls.
Who needs to get CMMC certified and to what level?
Any company and its subcontractors that bid on a DoD contract that contains FCI and/or CUI will be required to be CMMC compliant. In the latest iteration of CMMC 2.0 (announced November 4th, 2021) there are three levels of CMMC compliance. Each level requires more practices and controls than the previous. The CMMC level mandated will be stated in the contract information. The majority of Vernadero contracts and subcontracts will require either a Level 1 or Level 2 compliance.
If your company will receive exclusively FCI under a contract or subcontract, then your will need CMMC Level 1 implementation and certification.
However, if your company will receive CUI in addition, then CMMC Level 2 will be required as a minimum.
When will CMMC 2.0 compliance be required?
The DoD hopes to begin implementing its CMMC program requirements in contracts in May 2023, as part of an effort to require hundreds of thousands of Government contractors to better protect their networks and controlled unclassified information. The requirements are currently going through the federal rule-making process for the Code of Federal Regulations (CFR) and the Defense Federal Acquisition Regulation Supplement, which is required before they can be implemented.
Vernadero will continue educating existing and potential new subcontractors and teaming partners on anticipated upcoming cybersecurity flow-down requirements to limit or avoid potential project workflow impacts once the new requirements appear in Government contract documents.
For More Information
For more information on potential CMMC 2.0 compliance flow-down requirements to subcontractors and teaming partners, please contact Dan Becker, Vernadero Group’s Information Technology Officer at (480) 315-1000.