CMMC 2.0 streamlines requirements for contractors

By Hollie Kapos, Corporate Counsel

In September 2020, DoD published an interim rule to implement CMMC, which became effective November 30, 2020. The DoD received over 850 public comments in response, citing concerns with cost, trust in the assessment ecosystem, and alignment to other federal requirements.

Accordingly, it began an internal assessment of CMMC policy and implementation and, as a result, DoD has just announced CMMC 2.0, which makes several substantial changes from the original model.

Levels streamlined in CMMC 2.0

Levels 2 and 4 have been removed, so there are now only three instead of five levels of compliance as follows:

  • CMMC Level 1, Foundational – Requires implementation of the 17 controls from NIST SP 800-171 enumerated in FAR 52.204-21 and submission of an annual self-assessment to the DoD through the Supplier Performance Risk System (SPRS).  
  • CMMC Level 2, Advanced – Requires implementation of the 110 controls in NIST SP 800-171 and submission of an annual self-assessment or, if required to handle “critical national security information” (currently undefined), a triennial independent assessment performed by a CMMC Third Party Assessment Organization (C3PAO). 
  • CMMC Level 3, Expert – Requires implementation of the 110 controls in NIST SP 800-171 and a subset of controls from NIST SP 800-172 and a triennial government-led assessment. Requirements for level 3 are still being developed.
Read more of this post

CDM Notes: EO 14028 deadline is looming. Is your company ready to help?

By Amanda Mull, Contract Specialist

Cybersecurity specialists in the federal government are probably feeling the pinch right about now. By October 9, agencies will need to report on their current software systems as part of Executive Order 14028 on Improving the Nation’s Cybersecurity. If you are a vendor of cybersecurity products, you’d be well advised to make sure your business is appropriately listed – sooner, not later.

Following completion of their EO/OMB reports, agencies are to identify areas at high risk for cyberattacks – such as data theft, ransomware, and disturbances or exploitation of email or other communications.  By Identifying these vulnerabilities and whether agencies may be dependent on specific software or system providers, the federal government hopes to gain greater insight into problem areas.

Read more of this post

3 Public Resources You Need to Prepare for Meeting With DOD

By Toné Mason, Senior Analyst

Abraham Lincoln once said, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.”

Investing time in being prepared prior to meeting with a government contact is vital — especially if you are diving into new departments and agencies within the DOD. Here are 3 top public resources at your disposal – and they are free!

Read more of this post

CMMC Interim Rule Includes New Compliance Requirements

By Hollie Kapos, Corporate Counsel

You never know what surprises will pop up in the last few days of the government’s fiscal year, and this year there was a big one with the Interim Rule implementing DOD’s Cybersecurity Maturity Model Certification (CMMC).

The Interim Rule (“IR”), published on September 29, 2020 and effective as of November 30, 2020, adds the widely anticipated new DFARS clause for inclusion in DOD contracts implementing CMMC: 252.204-7021 (Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement). No surprise there.

But, the IR unexpectedly came with two additional clauses, DFARS 252.204-7019 (Notice of NIST SP 800-171 DOD Assessment Requirements) and DFARS 252.204-7020 (NIST SP 800-171 DOD Assessment Requirements), which require the immediate attention of federal contractors and their subs.  Read more of this post

DOD ESI BPAs: What CETA Is and Why It Is Important

By Derek Giarratana, Supplier Manager

Many of you are familiar with DOD ESI BPAs, but you’re probably not as familiar with the CETA designation and what it means.

Only one vendor has received the CETA designation thus far. Recently, the Navy PEO-EIS designated the Tanium DOD ESI BPA, held by immixGroup, as the first DOD Core Enterprise Technology Agreement (CETA). The CETA designation means that this purchasing vehicle is mandatory for all DOD customers who want to procure Tanium products and services.

DOD Enterprise Software Initiative

Before we dive into CETA and what it means for DOD procurement, let’s briefly talk about the DOD ESI program, managed by the PMW 290 Project Office. Read more of this post

Top Trending Technologies in DOD for 2020

By Toné Mason, DOD Senior Analyst

FY20 has truly been the year of technology acceleration within the Department of Defense. Our world has never been more capable technology-wise than it is today. The arrival of 5G and the new challenges brought on by a rapidly expanding remote workforce have catapulted the adoption of new and innovative technologies.

The DOD is at a point where they are looking to gain a better understanding of currently available technologies and applying them where it makes the most sense. Below are some of the key areas the DOD is focused on right now.

Data Integrity

Data integrity is one of the essential areas. As the need for transparency increases and desire to expand more into AI and machine learning, there has been more of a realization that DOD’s data is not consistent, not all data is being recorded and data is incomplete. Read more of this post

Winners in the FY21 Defense Budget Request

By Toné Mason, Senior DOD Analyst

The President is requesting $705.4B in DOD funding for FY21, which is a modest 0.1% increase from FY20. The biggest winner by far is U.S. Space Force, but there are still plenty of opportunities across DOD and the services for IT vendors.

Announced in FY20, funding for Space Force in FY21 is largely focused on providing funding for the establishment of the organization as a whole. More details regarding metrics and objectives are anticipated to be further developed over the next few years. From what we know at this time, automation, infrastructure, cyber and data analytics are anticipated to be key areas of interest for them.

Here’s a summary of DOD budget highlights for FY21. Read more of this post

If You Sell to DOD, Pay Attention to CMMC

By Troy Fortune, Vice President & General Manager

You’ve probably heard that the Department of Defense (DOD) recently released the official version 1.0 of its new Cybersecurity Maturity Model Certification (CMMC 1.0).

This is one of the hottest topics in government contracting right now and immixGroup is following developments very closely. And, it will affect everyone in our industry who sells to DOD – resellers, distributors and OEMs. 

As a quick refresher, this is a cybersecurity standard that all contractors must meet if they want to do business with DOD. As we’ve discussed before in a previous blog, the standards themselves are taken from existing ones. With CMMC 1.0, we now have more clarity on what the 5 levels of CMMC entail: Read more of this post

Space Force…Lasers, Satellites, Debt, Oh My!

By Toné Mason, DOD Senior Analyst

The Space Force has finally been established and its focus will be on national security and the preservation of satellites. But what exactly is it and where is it going? Will it include spaceships that shoot out laser beams?

Lots of people are asking lots of questions, but let’s get started with the biggest elephant in the room – armed combat. The Space Force will not include armed combat scenarios and the Air Force has no intentions to make it that way. Now that bubbles have been burst, what is the point of the Space Force if it won’t include armed combat? Why do we need a Space Force if there will be no armed combat? Read more of this post

Tips for Preparing for DOD’s New CMMC

By Hollie Kapos, Corporate Counsel

The Cybersecurity Maturity Model Certification (CMMC) has been one of the hottest topics in government contracting this year. In fact, one of my colleagues addressed the topic in a blog on DOD and CMMC just a few months ago.

And no wonder everyone’s talking about it – it applies to ALL companies doing business with DOD, including OEMs, distributors and resellers. Here’s some basic information to help you prepare no matter where you are in the supply chain.

What is CMMC?

Intellectual property theft and cybercrime cost the United States billions of dollars and threatens national security. In order to protect government information from theft and other malicious cyber activity, DOD is making cybersecurity an acquisition foundation. Accordingly, DOD is developing the Cybersecurity Maturity Model Certification – a certification process to measure a company’s ability to protect sensitive government data.

Read more of this post

%d bloggers like this: