Georgia Tech Procurement Assistance Center

  • Home
  • About Us
  • Training
    • Class Registration
    • On-demand Training
  • Useful Links
  • Team Directory
    • Albany Counselor
    • Atlanta Counselors
    • Augusta Counselor
    • Carrollton Counselor
    • Columbus Counselor
    • Gainesville Counselor
    • Savannah Counselor
    • Warner Robins Counselor
  • Directions
    • Atlanta – Training Facility
    • Atlanta – Office
    • Albany
    • Augusta
    • Carrollton
    • Columbus
    • Gainesville
    • Savannah
    • Warner Robins
  • New Client Application
  • Contact Us

CMMC 2.0 simplifies requirements but raises risks for government contractors

December 14, 2021 By Nancy Cleveland

With the announcement of a revamped Cybersecurity Maturity Model Certification (known as CMMC 2.0), for the third time in five years, the U.S. Department of Defense (DOD) announced new, comprehensive cybersecurity standards for government contractors and subcontractors to ensure the protection of sensitive unclassified information, that is, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  By referring to the new cybersecurity standard as CMMC 2.0, the DOD implicitly recognizes the likelihood of future versions at an unknown cost to the Defense Industrial Base (DIB).

Nevertheless, version 2.0, which was released after a seven-month review by the Biden Administration, reflects the DOD’s assessment of the DIB’s concerns and reflects the DOD’s efforts to streamline and improve upon its earlier version after criticisms aimed at its cost and complexity.  Specifically, CMMC 2.0 collapses CMMC 1.0’s five tiers to three simplified tiers that are based on the cybersecurity framework implemented and that are devoid of additional CMMC-unique practices and processes.  CMMC 2.0 also will allow “annual self-assessment with an annual affirmation by DIB company leadership” for Level 1 and part of the new bifurcated Level 2 (formerly Level 3).  Otherwise, an independent third-party assessment or government-led assessment will be required.

Besides CMMC 2.0, contractors with CUI are also required to comply with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7019 and 252.204-7020.  Collectively, these clauses require contractors to enter their compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 into DOD’s Supplier Performance Risk System (SPRS).  DOD will identify medium- and high-risk contracts and perform independent assessments of contractor compliance with NIST SP 800-171 and whether a contractor’s compliance matches what it inputted into SPRS.  Contractors should also be mindful as to whether these disclosures match their prior acceptance of contracts with DFARS 252.204-7012, which required full compliance with NIST SP 800-171.

The return of self-assessment, which was the bedrock of the first DOD cybersecurity standards set out in DFARS 252.204-7012 and whose failure led to the development of CMMC 1.0., creates substantial risks to DIB companies and their leadership.  The U.S. Department of Justice (DOJ) recently announced a new Civil Cyber-Fraud Initiative that emphasized the use of the False Claims Act (FCA), 31 U.S.C. § 3729 et. seq., to bring civil action against government contractors who knowingly misrepresented their cybersecurity practices and protocols.  The FCA allows the government to recover treble damages and permits qui tam suits, which allow whistleblowers to receive a portion of the monies recovered by the government.  In addition, other regulatory agencies have brought enforcement actions for alleged false certifications concerning compliance with agency-required cybersecurity standards.  Thus, the risk of a DOJ investigation or a qui tam suit connected with a DIB company’s self-assessment affirmation is very real, and this announcement – coupled with self-certification options in CMMC 2.0 – should not been seen as a coincidence. Nevertheless, companies can reduce such risks with appropriate cybersecurity policies and a culture of compliance.

Continue reading at:  JD Supra

Filed Under: Contracting Tips Tagged With: CMMC, CMMC 2.0, cybersecurity, Cybersecurity Maturity Model Certification

Georgia Defense Industrial Base Task Force hosting CMMC summit May 18th

May 7, 2021 By Nancy Cleveland

No matter where you’re at on the CMMC journey, there are resources to support you.  Join the Georgia Defense Industrial Base Task Force (GDIBT) – a partnership between the Georgia Department of Economic Development (GDEcD), Georgia Cyber Center, and the Technology Association of Georgia (TAG) on May 18 from 9 a.m. – 12: 30 p.m. to map out your path forward.

Join local businesses as they share their experiences with CMMC and answer your questions.  CMMC-AB Marketplace providers and cyber professionals explain how their tools and ‘turn-key’ services support your CMMC journey.  Chart your course further with a training session focused on NIST 800-171 and more.

PRICE: FREE

FORMAT: VIRTUAL

Event Contact:
Heather Maxfield
(404) 920-2022
Send Email

Date and Time:  Tuesday, May 18, 2021 (9:00 AM – 12:30 PM) (EDT)

Registration Link:  https://members.tagonline.org/calendar/Details/cmmc-summit-337318?sourceTypeId=Hub

AGENDA

9:00 – 9:05 AM                     Larry Williams, President and CEO, TAG 

9:05 – 9:10 AM                     Eric Toler, Executive Director, Georgia Cyber Center

9:10 – 9:20 AM                     Keynote – Dr. Joye Purser, Regional Director—Region 4, Cybersecurity and Infrastructure Security Agency (CISA)

9:20 – 10:20 AM                   Peer Panel, Moderated by Roy Hadley, Adams and Reese, LLP

  • Allison Giddens, Co-President, Win-Tech
  • Allison Stewart, Compliance Analyst & Training, Top Flight
  • Miguel Garcia, AMRAAM Project Manager / Business Development, Collins Manufacturing

10:20 – 10:35 AM                 Break 

10:35 – 11:35 AM                 UGA SBDC “NIST 800-171 + Beyond” Training

  • Mark Lupo, UGA SBDC

11:35 –12:25 PM                  ‘Solutions’ Provider Panel, Moderated by Roy Hadley, Adams and Reese, LLP

  • Horacio Maysonet, President & CEO, Cyber Security Solutions
  • Chris Silvers, Founder and Principal Consultant, CG Silvers
  • Chris Hallenbeck, Chief Information Security Officer, Americas Tanium

12:30 PM                               Closing, Cassia Baker, Georgia Department of Economic Development Center of Innovation for Aerospace 

Filed Under: GTPAC News Tagged With: CMMC, cybersecurity, Cybersecurity Maturity Model Certification

CMMC: Some frequently asked questions

April 22, 2021 By Nancy Cleveland

The National Defense Industrial Association has held a series of webinars for its members focusing on the latest news coming out of the Defense Department on the Cybersecurity Maturity Model Certification.

NDIA Senior Vice President of Strategy and Policy Wes Hallman, Director of Regulatory Policy Nick Jones, and Principal Director of Strategy Corbin Evans led a webinar on Feb. 18 and answered some written questions posed by members afterward.

The next members-only webinar is scheduled for April 15.

The questions and answers from that previous session have been edited for clarity and length.

Continue reading at:  National Defense Magazine

Filed Under: Contracting Tips Tagged With: CMMC, Cybersecurity Maturity Model Certification

CMMC is coming: How government contractors can prepare

April 22, 2021 By Nancy Cleveland

People like to say that cybersecurity threats are constantly evolving.  So perhaps it’s fitting that cybersecurity compliance is undergoing a significant evolution of its own this year, too.

That evolution is the arrival of the Cybersecurity Maturity Model Certification, more commonly abbreviated as CMMC.  CMMC is a new standard for cybersecurity that the U.S. Defense Department is rolling out to defense contractors, requiring companies to enforce new oversight across their operations and down their supply chains.

The Defense Department’s goal is to make CMMC a standard clause for all defense contracts by 2026, including higher education institutions that do government-sponsored defense research; and professional services firms that provide consulting to the Defense Department.

Even if you are not a prime defense contractor, CMMC is still likely to join your list of compliance obligations sometime soon.

Continue reading at:  Risk & Compliance Matters

Filed Under: Contracting Tips Tagged With: CMMC, cybersecurity, Cybersecurity Maturity Model Certification

What is CUI – The devil is in the details

April 7, 2021 By Nancy Cleveland

Controlled unclassified information (CUI) is defined, in part, as “information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”

Despite this seemingly straightforward definition, identifying CUI has been a challenge for the government and contractors.  This challenge has become particularly evident as the Defense Department implements its interim rule to the Defense Federal Acquisition Regulation Supplement to protect CUI through a mandatory Defense Department assessment methodology and through a slow rollout of its Cybersecurity Maturity Model Certification program.

Continue reading at:  National Defense Magazine

Filed Under: Contracting Tips Tagged With: CMMC, CUI, cybersecurity, Cybersecurity Maturity Model Certification

Tips to prepare for a first CMMC assessment

March 30, 2021 By Nancy Cleveland

With cyberterrorism acknowledged as an ever-increasing threat to national security, it came as no surprise when the Defense Department last year introduced a more robust cybersecurity framework in the form of the Cybersecurity Maturity Model Certification (CMMC).

Businesses must meet one of five levels of certification, with the new standard already required for certain defense contracts, while the planned five-year rollout aims to ensure that, by 2026, all government defense work will include the CMMC requirement, impacting more than 300,000 contractors.

Preparation is the key to success.  The sooner a company begins preparing for a CMMC third-party assessor organization, or C3PAO, to come in, the smoother its progress along the journey will be.

Continue reading at:  National Defense Magazine

Filed Under: Contracting Tips Tagged With: CMMC, Cybersecurity Maturity Model Certification

Podcast: CMMC, and transitioning to the new requirements

March 30, 2021 By Nancy Cleveland

Everyone knows that DoD gets thousands of attacks every day.  These attacks are getting more creative by attacking DoD’s trusted supply chain.  The SolarWinds incident is an example of how a trusted software supplier was shown to have been compromised.

To control some of these creative attacks, DoD has created the Cybersecurity Maturity Model Certification (CMMC) that companies who do business with DoD may need to comply with to continue to do business with the DoD in the future.

The Federal News Network recently held a podcast with John Gilroy and FedHIVE CEO Michael Cardaci, who talked about ways to smooth the transition to the Cybersecurity Maturity Model Certification or CMMC.

Listen to the Podcast at:  The Federal News Network

Filed Under: Contracting Tips Tagged With: CMMC, cybersecurity, Cybersecurity Maturity Model Certification

Final rule, formal training on CMMC could hit this summer

February 22, 2021 By Nancy Cleveland

A final rule on the Defense Department’s unified cybersecurity standard could debut as soon as this summer, defense officials said.  But implementation hinges on standing up a formal training system.

Diane Knight, who is DOD’s lead for the Cybersecurity Maturity Model Certification program’s pathfinders and pilots, said a final rule could roll out as soon as April but wouldn’t confirm a concrete timeline.

“There will be a final rule and we have that identified on schedule coming up here too,” Knight said Jan. 26 during a virtual town hall hosted by the CMMC Accreditation Body (AB).

Knight also previewed a “notional” timeline for the pilots where requests for proposals would be released in April and awards coming in August.  By April contractors seeking to participate in the pilots would be expected to have prepared for a CMMC assessment, reviewed requirements with subcontractors and to request an authorized third-party assessors (C3PAOs) assessment.  Proposals would be due by July, according to the documents, and a certification would be needed when the contract is awarded.

Continue reading at:  FCW

Filed Under: Contracting News Tagged With: CMMC, cybersecurity, Cybersecurity Maturity Model Certification

DOD’s cybersecurity certification requirements to appear in DHS contracts

February 22, 2021 By Nancy Cleveland

The Department of Defense is figuring out how to incorporate its Cybersecurity Maturity Model Certification program in contracts offered by the Department of Homeland Security, according to the official helming the initiative.

The CMMC program will ultimately require all defense contractors have their cybersecurity practices certified by a system of independent third-party auditors.  As it is now, companies simply pledge their adherence to security controls detailed in standards issued by the National Institute of Standards and Technology.

Rules to implement the program are expected to be finalized as early as next month and have caused some heartburn within the contracting community.  But the program is being rolled out in phases—15 prime contractors, and all their subcontractors, are being selected to undergo assessments this year—and won’t be fully applicable until 2025.

Continue reading at:  Nextgov

Filed Under: Contracting News Tagged With: CMMC, cybersecurity, Cybersecurity Maturity Model Certification, minimum wage

Arrington forecasts CMMC in every DoD contract by FY2026

February 22, 2021 By Nancy Cleveland

By Fiscal Year 2026, every contractor seeking to do business with the Department of Defense (DoD) will be required to have at least a Level 1 Cybersecurity Maturity Model Certification (CMMC), Katie Arrington, the Pentagon’s CISO for acquisition and sustainment, said Feb. 3.

DoD plans on rolling out 15 prime contracts including the CMMC requirement this year and scales up gradually, topping at 479 contracts in both Fiscal Year 2024 and 2025.  Those plans take into account up to around 100 unique sub-contractors on each prime contract, meaning the plan is to have 1,500 CMMC accredited contractors by the end of Fiscal Year 2021, which ends Sept. 30.

“CMMC is coming to a company or a program near you,” Arrington said at Washington Technology’s CMMC webinar Feb. 3.  “This is not a checklist…Technology is something that is really great, but you need to understand the risk-reduction strategies associated with it.”

Continue reading at:  MeriTalk

You can find GTPAC guidance on CMMC here:  https://gtpac.org/cybersecurity-training-video/

Filed Under: Contracting News Tagged With: CMMC, cybersecurity, Cybersecurity Maturity Model Certification

  • 1
  • 2
  • 3
  • Next Page »

Recent Posts

  • Contractors must update EEO poster
  • SBA scorecard shows federal government continues to prioritize small business contracting
  • The risk of organizational conflicts of interest
  • The gap widens between COFC and GAO on late is late rule
  • OMB releases guidance related to small business goals

Popular Topics

8(a) abuse Army bid protest budget budget cuts certification construction contract awards contracting opportunities cybersecurity DoD DOJ False Claims Act FAR federal contracting federal contracts fraud GAO Georgia Tech government contracting government contract training government trends GSA GSA Schedule GTPAC HUBZone innovation IT Justice Dept. marketing NDAA OMB SBA SDVOSB set-aside small business small business goals spending subcontracting technology VA veteran owned business VOSB wosb

Contracting News

SBA scorecard shows federal government continues to prioritize small business contracting

OMB releases guidance related to small business goals

OMB issues guidance on impact of injunction on government contractor vaccine mandate

Changes coming to DOD’s Cybersecurity Maturity Model Certification under CMMC 2.0

Judge issues nationwide injunction halting enforcement of COVID-19 vaccine mandate

Read More

Contracting Tips

Contractors must update EEO poster

The risk of organizational conflicts of interest

The gap widens between COFC and GAO on late is late rule

Are verbal agreements good enough for government contractors?

CMMC 2.0 simplifies requirements but raises risks for government contractors

Read More

GTPAC News

VA direct access program events in 2022

Sandia National Laboratories seeks small business suppliers

Navy OSBP hosting DCAA overview (part 2) event Jan. 12, 2022

Navy OSBP hosting cybersecurity “ask me anything” event Dec. 16th

State of Georgia hosting supplier systems training on January 26, 2022

Read More

Georgia Tech News

Undergraduate enrollment growth reflects inclusive excellence

Georgia Tech delivers $4 billion in economic impact to the State of Georgia

Georgia Tech awards first round of seed grants to support team-based research

Georgia Tech announces inaugural Associate Vice President of Corporate Engagement

DoD funds Georgia Tech to enhance U.S. hypersonics capabilities

Read More

  • SAM.gov registration is free, and help with SAM is free, too
APTAC RSS Twitter GTPAC - 30th Year of Service

Copyright © 2023 · Georgia Tech - Enterprise Innovation Institute