Cybersecurity for Contractors, Part 3: Get Ready for CMMC 2.0, the Audit You May Soon Face

New federal rules are coming that will require you to undergo a cybersecurity audit to work for the Department of Defense. Over time, other federal agencies and eventually state and local government bodies are expected to adopt similar if not the same rules

In other words, if you can’t prove you’re protected against cyber threats and intrusions you will eventually be barred from bidding on government work, including DOT, infrastructure and construction work.  And don’t be surprised if in the future private entities and insurance companies require the same protections.

Regulations updated

In recent years the federal government in general, and the Department of Defense in particular, have begun requiring prime contractors, subcontractors, manufacturers, suppliers, and any entity in its supply chain to implement cybersecurity standards, says Jordan Howard, counsel, federal construction and regulatory affairs at Associated General Contractors of America. The most significant of these requirements are NIST SP 800-171, Cybersecurity Maturity Model Certification (CMMC), and Section 889 Part B. 

CMMC was rolled out in 2018 as a requirement in all Department of Defense bids. Its aim was to serve as a unified cybersecurity standard for all defense contractors, subcontractors, and businesses in its supply chain, says Howard. Under this model, defense contractors would have been required to be certified by a third-party certifier (C3PAO) to be eligible to bid on DoD contracts, says Howard.

But the five different levels and other details of CMMC proved to be overly complex and unwieldy. The original proposal was scrapped and retooled. In November 2021, the Department of Defense announced the new and improved CMMC 2.0. Among these changes are:

  • Reducing the number of companies that would require a 3rd party assessment
  • Reducing the CMMC ratings from 5 levels to 3 levels
  • Suspending CMMC pilot programs until a final regulation is approved
  • Allowing for annual self-assessments for certain levels
  • Bringing back Plans of Action and Milestones (POAM) in lieu of assessments.

“We are really appreciative of the DoD taking a step back and redoing this,” says Howard. “The original program was more of a stick than a carrot. But contractors understand the importance of cybersecurity much more now than they did ten years ago and don’t need a stick to persuade them.”

The three levels of security in CMMC 2.0 depend on how much exposure you might have to sensitive or classified government information.

  • Level 1 is the lowest level of security and has 17 practices that must be adhered to. Certification can be achieved with an annual self-assessment.
  • Level 2 requires 110 practices aligned with NIST SP-800-171 and requires third-party assessments every three years for critical national security information plus annual self-assessment for select programs.
  • Level 3 requires 110+ practices based on NIST SP-800-172 and requires government-led assessments every three years.

The level at which you must be certified depends on your exposure to government information and will likely be spelled out in the RFQ or bid documents on a project.

  • Contractors who have access to, create or possess Federal Contract Information (FCI), meaning information not intended for the public, will be assessed at Level 1.
  • Contractors who create, possess or have access to information deemed Controlled Unclassified Information (CUI), which is information that needs to be safeguarded or requires dissemination controls, will be designated as Level 2 or above.
  • Level 3 is probably irrelevant for construction contractors and has more to do with companies working on things like nuclear submarines and top-secret military programs.

Getting assessed

CMMC 2.0 Level 1 requirements are more elementary and are the types of things that most companies would have in place to protect their own systems and information, says Matt Gilbert, principal at Baker Tilly. The details related to the self-assessment are not yet released but likely are going to be straightforward and manageable, he says.

The cost of Level 2 assessments, conducted by certified assessors, remains to be seen, says Gilbert. Many factors contribute to determining the cost including the complexity of the company’s environment, the number of systems and locations and the availability of assessors.  

To conduct a Level 2 assessment, a team would need to spend a couple days planning, then about a week conducting the assessment and time wrapping up and reporting, he says. “I would anticipate that from start to finish this would be a multiple-week effort,” says Gilbert “If you need a certification, it will not initially be a quick turn-around.  I would suggest at a minimum starting the process of hiring a C3PAO two or three months prior to when it is required,” he says.

Assessor certification

C3PAOs are registered and approved by the Cyber AB (formerly known as the CMMC Accreditation Body), says Gilbert.  It is important to understand their availability and their familiarity with similar businesses.  “Context can have an important part in the judgments and evaluation that an assessor makes so finding an assessor that understands your company is wise, he says.

Better for construction

The reduced complexity of CMMC 2.0 will lower costs for contractors while increasing oversight of professional and ethical standards for third-party assessors. It also allows companies in some circumstances to make Plans of Action and Milestones (POA&M) to achieve certification. The DoD is also exploring opportunities for incentives to contractors who voluntarily obtain a CMMC certification in the interim period before CMMC 2.0 becomes law.

“AGC has taken the lead on this issue because we recognize the importance of cybersecurity. It’s very important to our national security, economic competitiveness and protecting our tax dollars that we have these robust tools,” says Howard.

Be careful when buying phones and other tech gear

“Section 889 Part B” of the original CMMC proposal that is likely to remain in the new version prohibits federal agencies from entering into, extending, or renewing, a contract with a contractor that uses any equipment, system, or service from unauthorized vendors like the Chinese companies Huawei or ZTE. The rule is likely to expand the scope of this prohibition to apply to affiliates, parents, and subsidiaries of the prime contractors, says Howard.

Notable cyberattacks in construction

  • Canada-based Bird Construction suffered a ransomware attack in December 2019. Cyber-criminals demanded $9,000,000 (Canadian) in exchange for decrypting the 60GB of data they were holding for ransom.
  • Houston, Texas-based Colonial Pipeline suffered a ransomware attack in May 2021 and was forced to pay Russia-linked hackers known as DarkSide $4.4 million. The attack infected some of the pipelines’ computer systems and forced them to shut down for several days.
  • In one of the biggest security breaches in history, a mechanical contractor for Target stores inadvertently left open a computer backdoor. This gave cyber-criminals access to the company’s computerized databases who then stole 40 million credit card numbers. Target was forced to pay $18.5 million in fines and restitution.
  • In May 2020 UK based Bam Construct shut down some of its computer systems after falling victim to a cyber-attack. A Bam spokesman said the business had “stood up well” after hackers gained access to parts of the company’s IT systems. The company took several of its sites offline while also adding extra defenses to guard against future hacks.

Further Reading