CMMC Check-in: What Should your Firm be Doing Today to Prepare for the Spring 2023 Requirements?-CMMC Check-in What Should your Firm be Doing Today to Prepare for the Spring 2023 Requirements Recording

Video Transcription

Video Summary

The webinar provided an in-depth update on the Cybersecurity Maturity Model Certification (CMMC) and its implications for defense contractors, focusing on preparation for the 2023 requirements. Dan Hilton introduced the session, followed by expert presentations from Sai Elba, a government contracts attorney, and Tom Tolerton, a cybersecurity advisor and CMMC provisional assessor.

Key points included:

1. <strong>CMMC Overview</strong>: Transitioning from CMMC 1.0 to 2.0 has streamlined requirements, focusing on alignment with NIST 800-171 standards to protect Controlled Unclassified Information (CUI). Three certification levels exist: Level 1 (basic cybersecurity for Federal Contract Information), Level 2 (comprehensive controls for CUI), and Level 3 (advanced protections for highly sensitive programs). Certification will be mandatory and must be flowed down the supply chain, with third-party assessments required, especially at Level 2.

2. <strong>Implementation Timeline & Challenges</strong>: Full rollout won’t happen immediately due to limited assessor capacity. Contractors should self-score their current cybersecurity status under NIST 800-171 via the Supplier Performance Risk System (SPRS) and prepare for mandatory third-party certification. Certification lasts three years with annual attestations. There remain many unknowns including the conditional certification process, repercussions for noncompliance, and guidance on mergers and subcontractors.

3. <strong>Practical Advice</strong>: Contractors must proactively conduct gap assessments, maintain comprehensive system security plans, assign cybersecurity roles, and define CUI scope to reduce risk and assessment complexity. Early preparation is critical to avoid losing contracts.

4. <strong>Section 889 Compliance</strong>: Related federal requirements prohibit government contracts with entities using certain telecommunications equipment from banned companies (notably Chinese firms). The rule applies broadly, including to subcontractors and even non-IT functions if they handle sensitive data.

Overall, the session emphasized the urgency for contractors to understand and prepare their cybersecurity programs now given evolving CMMC mandates and the complex federal compliance landscape.

Keywords

Cybersecurity Maturity Model Certification

CMMC 2.0

NIST 800-171

Controlled Unclassified Information

Defense Contractors

Third-Party Certification

Supplier Performance Risk System

Section 889 Compliance

Cybersecurity Gap Assessment

Federal Contract Information