Stay audit-ready & fully compliant with Infor CloudSuite and Godlan.
Defense contractors face the very real threat of losing business if they are noncompliant with the Cybersecurity Maturity Model Certification (CMMC) standard.
Cybersecurity Maturity Model Certification (CMMC) 2.0
What is CMMC 2.0?
On October 15th, 2024, the CMMC ruling – known formally as the 32 CFR Part 170 ruling, or the “Program Rule” for CMMC – was published.
The Cybersecurity Maturity Model Certification (CMMC) represents a critical mandate from the U.S. Department of Defense to enhance the protection of sensitive data across the complex and expanding defense contracting supply chain. The purpose of CMMC is to verify that defense contractors are compliant with existing protections for federal contract information (FCI) and controlled unclassified information (CUI) and are protecting that information at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats. While the government’s phased rollout will take time, prime contractors are already expecting CMMC requirements to be met by subcontractors.
We encourage you to act now, as the demand for compliance services will grow and strain available resources.
Accelerating time-to-compliance: Infor CloudSuites for CMMC readiness
Free Access Now
What you need to know:
- CMMC applies to all subcontractors, regardless of their supply chain tier position.
- Contractors must achieve 100% adherence before they can receive new contract awards
- Only certified assessors can provide CMMC validation.
- Remediation plans or Plan of Action & Milestones (POA&M) are not allowed.
- Certification is valid for three years.
- CMMC will not be applied retroactively to existing contracts.
- Certification costs are an allowable, reimbursable cost.
The revised CMMC Program has 3 key features:
1: Tiered Model:
CMMC requires companies entrusted with Federal contract information and controlled unclassified information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also describes the process for requiring protection of information flowed down to subcontractors.
2: Assessment Requirement:
CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
3: Phased Implementation:
Once CMMC rules become effective, certain DoD contractors handling FCI and CUI will be required to achieve a particular CMMC level as a condition of contract award. CMMC requirements will be implemented using a 4-phase implementation plan over a three-year period.
In the event companies cannot establish full compliance, they must develop plans of action that describe how unimplemented security requirements will be met and how any planned mitigations will be implemented. Although an explicit time limit for mitigation is not specified in NIST SP 800-171 R2, contractors that fail to reasonably comply with applicable requirements may be subject to standard contractual remedies
Please see the DCMA DIBCAC website at www.dcma.mil/DIBCAC/ that includes links to the pre-assessment documents; a publicly releasable version of the assessment database; FAQs; an informational video; a link to Procurement Integrated Enterprise Environment (PIEE), the primary enterprise procure-to-pay application for the DoD; a link to SPRS where assessment scores are posted; and links to other reference materials.
DoD has created a series of guidance documents to assist organizations in better understanding the CMMC Program and the assessment process and scope for each CMMC level. These guidance documents are available on the DoD CMMC website at https://dodcio.defense.gov/CMMC/Documentation/ and on the DoD Open Government website at https://open.defense.gov/Regulatory-Program/Guidance-Documents/.
The Benefits of CMMC Include:
- Safeguarding sensitive information to enable and protect the warfighter
- Enforcing DIB cybersecurity standards to meet evolving threats
- Ensuring accountability while minimizing barriers to compliance with DoD requirements
- Perpetuating a collaborative culture of cybersecurity and cyber resilience
- Maintaining public trust through high professional and ethical standards
How do I know if I need to comply with CMMC 2.0
You need to comply with CMMC 2.0 if your company is a contractor or subcontractor working with the Department of Defense (DoD) and handles “Controlled Unclassified Information (CUI)” or “Federal Contract Information (FCI),” which means you likely need to review your existing contracts to see if CMMC compliance is specified, especially if you have a DFARS 7012 clause indicating the need for CUI protection; if you are unsure, contact your prime contractor to clarify your CMMC requirements.
Contractors:
Here’s what contractors must do now to ensure compliance with CMMC 2.0
Check your existing contract requirements to determine your appropriate level of CMMC. If you have existing DFARS 7012 requirements and you handle CUI, it is likely that you’ll need to be CMMC Level 2 compliant.
- Step 1: Identify your target maturity level.
- Step 2: Determine whether external security or compliance services are needed.
- Step 3: Conduct a self-assessment and update security documentation.
- Step 4: Remediate gaps
- Step 5: Conduct CMMC readiness assessment
- Step 6: View this webinar for more info
- Step 7: Download this CMMC Readiness Brief for an overview of the steps required for CMMC compliance.
Time is Ticking
When will CMMC compliance will be required?
- The CMMC Program Final Rule was published on October 15, 2024.
- It takes a 50 person company an average of 6-12 months to prepare for a CMMC assessment.
- CMMC assessments will be available in Q1 2025.
- The phased roll out of CMMC as a contractual requirement will begin around Q3 of 2025.
CMMC Implementation
The CMMC Program implementation date is 60 days after the publication of the final Title 48 CFR CMMC acquisition rule. CMMC assessment requirements will be implemented using a four-phase plan over three years. The phases add CMMC Level requirements incrementally, starting with self-assessments in Phase 1 and ending with full implementation of program requirements in Phase 4. This phased approach allows time to train assessors and for companies to understand and implement CMMC assessment requirements.
Start Your Compliance Journey Now With Infor
Infor CloudSuites provide purpose-built capabilities to help manufacturers establish the policies, procedures, and systems needed for cost-efficient CMMC adoption. With Infor CloudSuites manufacturers gain an integrated platform designed specifically for defense contractors, with functionality that maps to core CMMC domains right out of the box:
Role-based access control:
Restrict data access to authorized users based on their roles and responsibilities. Easily implement the principles of least privilege and separation of duties.
Asset lifecycle tracking:
Maintain end-to-end visibility into hardware and software assets which access relevant data across procurement, deployment, maintenance, and disposal.
Workflow automation:
Ensure consistent, auditable execution of processes that impact CUI systems, like change management procedures.
Systems integration:
Connect engineering tools like PLM and ALM to manage product data and technical documentation. Perform unified identity, access, and authentication management.
Analytics for predictive monitoring:
Utilize artificial intelligence and advanced analytics to identify vulnerabilities, detect threats, and preempt compliance issues.
Infor is your turnkey solution to compliance.
While meeting the complex and rigorous CMMC standards can be extremely costly and resource-intensive for manufacturers, the purpose-built Infor® CloudSuite Aerospace & Defense provides a strong foundation of capabilities to streamline and automate compliance activities.
With decades of experience serving the aerospace and defense industries and a track record of delivering secure, certified cloud solutions for government agencies, Infor is dedicated to assisting A&D manufacturers of all sizes to navigate the path to CMMC readiness.
Infor’s Defense solutions, including Gov Cloud, meet rigorous regulatory, security and safety standards for low-volume, engineer-to-order and high variability production operations. Our solutions support robust traceability for regulatory compliance, extensive in-house and sub-contracted operations, multi-site cost visibility, digital service records, and efficient after-market service management.