What You Need To Know About CMMC 2.0 Compliance

Working with the Department of Defense (DoD) has always required that Managed Service Providers (MSPs) adhere to regulations and rules. It’s no surprise that cybersecurity is a top concern. Level 1 of the Cybersecurity Maturity Model Certification (CMMC) set the standards, but as things move forward with CMMC 2.0 additional requirements will come into play. Jones Metal is proud to be CMMC 2.0 compliant. 

Cybersecurity Ranks High for DoD & Better Understanding of CMMC 2.0 Compliance
First it’s important to understand why cybersecurity ranks as a high priority for the Department of Defense. The Defense Industrial Base (DIB) has been under attack more than ever, facing increasingly sophisticated cyber threats. To safeguard American ingenuity and critical national security information, the DoD rolled out the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. The CMM Level 2 program is all about beefing up DIB cybersecurity to protect the information that our warfighters rely on.

Supporting Our Nation's Security
At Jones Metal we’ve dedicated ourselves to understanding the details of these standards so that our customers can feel confident entrusting us with their Controlled Unclassified Information (CUI) projects. With all the announcements and articles being published, it can be difficult to identify the key points defense contractors need to know about the new ruling. To get a full picture of these changes, it can be helpful to start by looking back at Level 1 standards.

Beginning with the Basics
The update to 2.0 presents several new or amended DoD regulations, but the initial release of the CMMC Proposed Rule has been significant for defense contractors. Level 1 focuses on establishing a basic level of cybersecurity practices to safeguard Federal Contract Information (FCI). It serves as a foundation for higher levels of certification and aims to ensure that organizations have essential cybersecurity practices in place. It includes practices such as limiting access to FCI to authorized users, employing encryption for FCI transmission, and maintaining records of security training for personnel. 

Leveling Up to 2.0
Level 2 of the CMMC builds upon the practices of Level 1 and is designed to protect Controlled Unclassified Information (CUI). Level 2 requires the implementation of a more comprehensive set of cybersecurity practices and controls to ensure the protection of CUI. This includes practices such as conducting background checks on personnel with access to CUI, documenting and controlling visitor access to facilities where CUI is processed, and regularly auditing and updating security policies and procedures.

Meeting New Standards
Prior to this, such information was export-controlled via various requirements, including International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR) and others, depending on agency and the specific cybersecurity markings and rules varied. 

For Jones Metal and other companies contracting with the DoD, this entails implementing 110 NIST SP 800-171A cybersecurity controls, which will be certified through the CMMC program for all contracts referencing ITAR, EAR, Defense Federal Acquisition Regulation Supplement (DFARS), or Federal Acquisition Regulation (FAR) requirements.

A Quick Breakdown
The CMMC program aligns with the DoD's information security requirements for Defense Industrial Base (DIB) partners. It ensures that contractors and subcontractors protect sensitive unclassified information shared by the Department. The program features a tiered model, requiring progressively advanced cybersecurity standards based on information sensitivity. CMMC assessments verify these standards, and contractors must achieve a specific CMMC level for contract award.

For a full overview of the transition, visit https://dodcio.defense.gov/CMMC/about.

Helpful Resource: Learn more about our expertise within the defense industry

Playing the Waiting Game
The upcoming changes will be rolled out through a rulemaking process. Once the new rules kick in, companies will need to get in line. The DoD plans to make these changes official by updating Part 32 of the Code of Federal Regulations (C.F.R.) and Part 48 of the DFARS. These rules will have a public comment period, so you'll have a chance to provide input.

In the meantime, the DoD has hit pause on earlier CMMC Piloting efforts. They're also urging contractors to keep beefing up their cybersecurity defenses. To help, they've created Project Spectrum, designed to help Defense Industrial Base (DIB) companies assess their cyber readiness and start adopting solid cybersecurity practices.

Finding a Reliable Partner
If your company works with or is interested in being a DoD service provider, make sure the organizations you work with are reliable partners that carry the proper credentials and certifications. Jones Metal is working toward CMMC certification to become a Certified Third-Party Assessment Organization (C3PAO), ensuring our ability to handle projects involving Controlled Unclassified Information (CUI), particularly with the DoD, and to maintain our trustworthiness as a partner to our customers.

Jones Metal proudly supports the Defense Industrial Base (DIB) and works with Primes to provide critical components for our nation's defense. Our commitment to excellence and innovation ensures we deliver high-quality products that meet stringent requirements, contributing to the defense and security of our country.

Staying Informed
When it comes to sensitive issues, it’s important to get the facts straight. Be sure you are referencing reliable sources like statements from the DoD website. Want to learn more? Refer to the resources provided below for official news on the current and upcoming proposed changes.

Resources: