With the first quarter of the new year in the rearview mirror and promises of updates to the cybersecurity landscape to come throughout 2023, government contractors handling controlled unclassified information (CUI) under their (or their partners’) federal contracts should ready themselves now. Staying engaged and chipping away at the compliance block is vital to avoid growing pains later and/or before it’s too late.
Although the Cybersecurity Maturity Model Certification (CMMC), with limited exceptions and near universal applicability to Defense Department contractors, and the Federal Risk and Authorization Management Program (FedRAMP), with limited application to only cloud service providers, are typically discussed in silos, they share many conceptually similar elements and objectives, deriving most of their controls from overlapping cybersecurity frameworks (NIST 800-171 and NIST 800-53, respectively). Their alignment is conceivable and likely.
The government has also publicly recognized deliberate CMMC and FedRAMP alignment. For example, last year, the DoD announced its intent to honor CMMC reciprocity for FedRAMP certifications (despite FedRAMP being a government-wide certification, not specific to the DoD) and has not since deviated from these alignment goals — that we know of.
Because alignment is vital for government contractors seeking to cost-control their compliance and to realign their partnership and supply chain initiatives, closely tracking to each program’s individual and overlapping developments will pay dividends.
While the current landscape is taking shape, much remains uncertain. The 2023 National Defense Authorization Act (NDAA) finally codifies FedRAMP and reinforces the “presumption of adequacy” concept whereby contractors can achieve certification with an agency once and reuse the certification across other agencies, avoiding disparate standards and requirements. This first step is at least indicative of a push toward streamlined processes and a coordinated government-wide effort to lessen the compliance burden. The NDAA does not, however, shed light on the specific rules and guidance the General Services Administration and Office of Management Budget will propose in the coming months. Nevertheless, the guidelines and rules are expected to cover, at the very least, the products and services falling under FedRAMP’s purview, requirements for agency authorization, and the FedRAMP authorization process.
Perhaps closer to implementation is the NIST 800-171 enforcement program, CMMC, now on version 2.0 — an effort to pare the 1.0 levels of maturity down from the original five to just three. While updates on the CMMC scene have been slow to come for some time now, OMB quietly added the compliance program from its Fall 2022 Unified Regulatory Agenda to its rulemaking scheduled for sometime in May. With more concrete discussions on the horizon, the government contracting community can expect to see decisions made in the form of a formalized proposed rulemaking process as early as this summer.
The rulemaking timelines for both FedRAMP and CMMC seem to reinforce the government’s alignment goals further. Although the exact timeline for full program implementation is fraught with innumerable variables, the third or fourth quarter of 2024 for both FedRAMP and CMMC implementation and alignment seems possible (using an aggressive estimation of the timing involved in the rulemaking process for each because, well, we’re optimists).
So what can you do between now and the third/fourth quarter of 2024 to prepare for full cybersecurity compliance implementation? At a bare minimum, we recommend taking the following six steps if you are a government contractor or subcontractor handling CUI that may need to achieve CMMC compliance and FedRAMP certification (or if you use partners that need to comply). Spoiler alert: No, you do not need to get a costly third-party assessment as a first step toward compliance.
Assess whether your company needs to comply with NIST 800-171 as part of its federal contract or subcontracting opportunities. You should review your federal contracts and subcontracts for references to the related Defense Federal Acquisition Regulations (DFARS) clauses, 252.204-7012 Safeguarding Covered Defense Information, Cyber Incident Reporting 252.204-7020 NIST SP 800-171 DoD Assessment Requirements, and 252.204-7019 Notice of NISTSP 800-171 DoD Assessment Requirements. Then, you should take stock of your compliance efforts related to those clauses, if any. If you made concerted efforts to achieve the NIST 800-171 requirements previously, chances are you are well on your way to Level 2 CMMC compliance too. This is because you will already have in place a System Security Plan (SSP).
Conduct a gap analysis and mapping exercises. Regardless of whether your company already has a documented SSP, take stock of your NIST 800-171 related policies, procedures, technical practices, and, as applicable, any deltas thereto since last documenting your SSP. This is the time to be resourceful — if you are starting out from ground zero, locate reliable SSP templates to get a baseline understanding of the documented policies, procedures and practices that are required. Then ensure the NIST 800-171 controls and requirements are fully covered in that template. Map these requirements to the NIST 800-53 controls to determine where the gaps exist between those two frameworks to ensure compliance with both CMMC and FedRAMP. There are many resources and software options available that do this for you if you have the budget.
Choose your vendors, if any, wisely, and consider CMMC-related services to help fill any technical practice gaps in your NIST 800-171 compliance. Most companies are not going to use home-grown technologies and tools for every single technical practice. For instance, a company might consider buying software for managed detection and response and malware abatement or opt for a suite of managed IT services (e.g., endpoint management, cloud backup, encryption). Do your research on offerings and whether those CMMC-related service providers have to be FedRAMP certified.
With that said, do not make yourself crazy trying to comply with every single NIST 800-171 and NIST 800-53 control and requirement. You are permitted in both programs, CMMC 2.0 and FedRAMP to have in place a plan to comply, known as the Plan of Action & Milestones (POAMS). As long as your company is actually capable of closing the compliance gaps documented in POAMS, incorporate them into your compliance plan to cost-control.
Familiarize yourself with the 2022 FedRAMP Readiness Assessment Report Guide and Readiness Assessment Reports as taking a first step toward agency Authority to Operate approval if you need to become FedRAMP compliant. These documents serve a dual purpose for achieving CMMC compliance because they incorporate many NIST 800-171 requirements. If you are FedRAMP eligible, you will likely meet the CMMC 2.0 compliance requirements too.
Business model and budget permitting, also consider partnering with CMMC compliant and FedRAMP-certified companies and limiting or eliminating your handling of CUI from a process standpoint, or better yet, by leveraging technical solutions such as creating secured enclave environments.
The current cybersecurity compliance landscape may seem daunting to the average government contractor, particularly if you are in a start-up phase or of small or mid-sized stature. But by finding yourself here, you’re already taking the first step. By breaking your compliance efforts into smaller digestible chunks and by not reinventing the wheel, you are better positioning your organization for success come late 2024 (or whenever the powers that be determine compliance is no longer negotiable).
Kelly Kroll, Partner, and Kelly Carlson, Associate, are attorneys in the Government Contracts group at Morris, Manning & Martin, LLP. They are based in Washington, D.C. and can be reached at firstname.lastname@example.org and email@example.com, respectively.