April 6, 2022

    CMMC 2.0 Controls Made Easy for Small & Mid-Sized Contractors

    When the Department of Defense initially announced version 2.0 of its Cybersecurity Maturity Model Certification (CMMC), it was meant to be good news for small and mid-sized businesses and contractors that work with the United States Military. CMMC 1.0 put a heavy burden on these smaller organizations to create systems and manage controls that they simply didn’t have the in-house resources to create and manage.

    But planning for the CMMC 2.0 model brings to light just how challenging compliance remains for small- and mid-sized organizations. While CMMC version 2.0 has been framed as less of a burden for smaller businesses and contractors, there’s still a lot of work to be done to reach full compliance.

    How CMMC 2.0 Benefits Small- and Mid-Sized Contractors

    More than 300,000 contractors make up the Defense Industrial Base (DIB). The vast majority of these contractors are small- and mid-sized businesses that “do not work on sensitive programs,” though they still need to comply with certain cybersecurity regulations. The CMMC 2.0 changes were designed to better support these small- and mid-sized contractors in the following ways:

    DoD SAFE’s launch represented 2 significant improvements for users:

    • Security Tiers: The number of security tiers included in the model is being reduced from five to three, which simplifies the model. The CMMC 2.0 model removes the maturity processes between levels (more on this in a moment).
    • Third-Party Certification: Contractors that do not interact with controlled unclassified information (CUI) will no longer be required to obtain a third-party certification. Some contractors handling controlled unclassified information (CUI) will be able to self-certify. Other contractors handing more sensitive CUI will be audited by the DoD.
    • Plan of Action Milestone (PoAM) Allowances: Contractors that do not meet all security controls will have the option to prove they will in the future. Using a PoAM allows contractors to continue working with the U.S. Military even if they have not met all requirements.

    Significant cybersecurity breaches in the 2010s inspired the Department of Defense to enhance cybersecurity measures and compliance regulations for contractors. CMMC 1.0 placed a heavy burden on small- and mid-sized contractors that the CMMC 2.0 framework is meant to reduce and streamline. This much is evidenced by comments in a related press release:

    “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements,” said Jesse Salazar, the deputy assistant secretary of defense for industrial policy at the DoD.

    Still, there remain challenges for smaller organizations that thrive on contracts with the U.S. Military.

    FTP-TODAY-SECURE-FILE-SHARING-DEMOWhile the CMMC 2.0 updates do lessen the compliance burden on smaller organizations, that doesn’t mean they can sit back and relax. There remain serious compliance standards to meet if you want to do business with the U.S. Military, and not all small- and mid-sized contractors have the in-house resources to create and implement their own compliant systems, processes, and workflows. For example, all contractors will experience challenges related to:

    • DFARS 252.204-7012, 7019 and 7020 Clauses: Similarly, contracts still include DFARS 252.204-7012, 7019 and 7020 clauses, which are in place to protect CUI and federal contract information (FCI). Again, many small- and mid-size contractors don’t have the internal resources to meet the standard outlined here. Clause 7019 specifically calls for contractors to self-assess and provide an accurate Supplier Performance Risk System (SPRS) score. Reporting inaccurate scores could lead to prosecution under the False Claims Act.
    • International Traffic In Arms Regulations (ITAR): Companies required to meet the export controls of ITAR compliance will need to meet both ITAR and CMMC 2.0. These will remain separate. Even small- to mid-sized contractors must be fully compliant, but there is significant overlap.
    • NIST 800-171: CMMC 2.0 simplifies the maturity processes included in CMMC 1.0, because the processes created 21 extra controls for contractors needed to share CUI. The maturity processes were already included in NIST cybersecurity standards. Still, even with the burdensome maturity processes gone in CMMC 2.0, NIST 800-171 remains the basis for CMMC 2.0 (with some controls from NIST 800-172). Smaller contractors will still need assistance to comply with the NIST safeguards.

    Reading the points above may feel overwhelming to a small- or mid-sized contractor that wants to work with the U.S. Military. But there are technology partners you can work with to simplify compliance with CMMC 2.0, which would free you and your team to focus on securing new contracts and providing outstanding service.

    New call-to-action

    How FTP Today Simplifies CMMC 2.0 Compliance

    Small- and mid-sized contractors need to secure CUI away from their processing environments. At FTP Today, we simplify the tasks of securely storing and transferring CUI, which helps you with compliance and frees your time to focus on other important initiatives.

    Simply using FTP Today helps your organization fully meet 15 CMMC 2.0 controls, as well as providing the tools to meet 25 additional CMMC 2.0 controls (with minimal effort by the contractor). Using FTP Today for your secure file transfer and file sharing practically eliminates the compliance burden as it relates to sharing files inside and outside of your organization, which allows you to focus on high-value tasks for your business.

    You don’t need to build your own file sharing system from the ground up. And you don’t need to increase headcount to reach compliance. Don’t let the cost of CMMC 2.0 compliance place a drag on your business. Let FTP Today be a strategic partner that empowers affordable file sharing compliance and helps your organization grow.

    With a signed non-disclosure agreement, FTP Today can provide you full details on how CMMC 2.0 crosswalks to CMMC 1.0 and NIST 800-171, as well as who is responsible for each control. Get in touch with us to learn more about CMMC 2.0 and how FTP Today simplifies compliance.

    itar-ear-dfars-requirements-guide-ftp-today-govftp-secure-cloud-file-sharing

    Arvind Mistry

    Arvind is Director of Compliance and Programs at FTP Today. He came to FTP Today with 11+ years of experience in offering cloud solutions to the Federal Government and public sector channels at companies such at Rackspace, IBM, UNICOM, A10 and Radware Alteon. He is based in the Washington, D.C. area.

    Other posts you might be interested in

    View All Posts