Issue link: https://iconnect007.uberflip.com/i/1496178
40 SMT007 MAGAZINE I APRIL 2023 a c c e s s , t h e f t , a n d da m ag e. I t 's a b r o a d c o n c e p t t h a t encompasses many different tactics, techniques, and proce- dures. The CMMC compliance, on the other hand, refers to the requirements set forth by the DoD to ensure that contractors are meeting a minimum level of cybersecurity readiness before being awarded contracts. In other words, cybersecurity is the foundation upon which compliance is built. A company must have a solid cybersecurity posture that extends to cover compliance safeguards in order to achieve compliance. While CMMC compliance is a specific set of requirements that a company must meet to do business with the DoD, cybersecurity is a broader and ongoing practice that should be applied to all aspects of a company's operations to protect against cyber threats. What are the current DoD cybersecurity requirements? Allen Anderson: Effective Dec. 31, 2017, the Defense Federal Acquisition Reg ulation Supplement ( DFA RS), and specif ically DFA RS clause 252.204-7012, mandates security controls defined in National Institute o f St a n d a r d s a n d Te c h n o l o g y S p e c i a l Publication 800-171 ( NIST 800-171) be followed by all defense contractors, relying on the contractor's self-attestation of compliance through DFARS clause 252.204-7019 and the Supplier Performance Risk System or SPRS. N I S T 8 0 0 - 1 7 1 r e c o m m e n d s c e r t a i n cybersecurity standards. It consists of 110 controls to protect unclassified, but sensitive, information, and to govern timely reporting of cyber incidents. CMMC—or DFARS clause 252.204-7021— will move the level of proof of compliance from mere self-attestation to third-party audit and verification. In short, CMMC is designed to ensure defense contractors are acting as they have been attesting with respect to the NIST 800-171 controls. What is CMMC? V i j a y Ta k a n t i : T h e D o D created CMMC in response to the ongoing compromise o f s e n s i t i v e u n c l a s s i f i e d information that threatens our national security. The existing security requirements imposed on members of the Defense Industrial Base (DIB), those companies that directly or indirectly serve the DoD, have proven ineffective. While CMMC remains a work in progress ahead of its official implementation, the current version of the framework, CMMC 2.0, consists of three Maturity Levels. Maturity Level 1 comprises 17 requirements, known as practices, designed to protect Federal Contract Information (FCI). Maturity Level 2 contains 110 practices, including the 17 from Level 1, which will protect Controlled Unclassified Information (CUI). These 110 practices directly align with the 110 controls defined in NIST 800-171, the standard to which companies that handle, process, or store CUI are held today. Maturity Level 3 has not yet been fully defined because it will apply only to a small number of contracts and contractors, but it will encompass the 110 practices of Level 2 and additional practices drawn from other standards like NIST 800-172. There's an important difference between CMMC and its predecessors. In the current env ironment , companies can self-attest their compliance with NIST 800-171. Most companies seeking CMMC Maturity Level 2 accreditation, and all pursuing Maturity Level 3, will have to pass an assessment conducted by a CMMC Third Party Assessment Organization (C3PAO) or the Defense Contract Management Agency's (DCMA) Defense Industrial Base Joaquin Hernandez