After several fits and starts over the past five years, the Department of Defense (DoD) finally issued its final ruling on October 15 for CMMC 2.0 compliance. This final rule coincides with October which happens to be Cybersecurity Awareness Month.
Now that it has been finalized and will take effect on December 16, 2024, the rule will mandate cyber security requirements for contractors working with the DoD. For some perspective, in fiscal year (FY) 2024, the DoD was allocated $824.5 billion in discretionary budget authority, of which approximately 70% was obligated through contracts and grants for products and services. The DoD outspends all other civilian agencies combined on contracts and grants. Therefore, if you think it is too much of a hassle and too expensive to comply, then you will miss out on a big slice of the government contracting pie. And if you are already doing business with the DoD, then the time has arrived to implement the controls promulgated by CMMC Level 1 & Level 2.
Defense contracts that are deemed to be low-risk awards may allow for Level 1 self-attestation with its 17 controls for protecting controlled unclassified information (CUI) and you will not likely have the need to engage a third party for certification as with Level 2 and its 110 controls will require. Level 3, is primarily intended for the large contractors or for the contract awards that carry the most risk and will involve government-led audits performed by the DCMA.
While it may seem overwhelming and the costs to comply with Level 2 certification may be steep, think of it as a cost of doing business. One thing is for certain, the costs incurred for compliance meet the criteria for allowability. In other words, these costs are necessary, reasonable, and allocable. So as is the case with accounting firm audits and for most information technology costs, you can recover the costs in your indirect rates. Best of all, you don't have to go it alone and there are several criteria that your accounting software vendor can help to achieve. These include, but are not limited to:
Level 1 Practices/Controls
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).- Disable the user accounts of former employees when they leave the company.
Perform periodic scans of the information system.
Level 2 Practices/Controls
Access Controls
- Limit Unsuccessful Logon Attempts
- Terminate (Automatically) a User Session after a Defined Condition
- Remote Access Confidentiality: Employ cryptographic mechanisms for remote access sessions.
Audit Accountability
Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.
- Authoritative Time Source: Provide a system capability to generate time stamps for audit records.
- Protect audit information and audit logging tools from unauthorized modification and deletion.
Identification and Authentication
Multifactor Authentication: Use multifactor authentication for local and network access to privileged accounts
Risk Assessment
Scan for vulnerabilities in organizational systems and applications periodically
Vulnerability Remediation: Remediate vulnerabilities in accordance with risk assessments.
So there you have it, at least some of the 127 criteria that you need to meet Level 1 and Level 2 compliance are satisfied (or should be satisfied by) your software vendor who securely hosts your mission critical software applications. In the fourteen years that we have been hosting SYMPAQ software, we have never had a breach or a cyber security incident that would compromise our subscribers CUI, and we intend to keep it that way!
