CMMC is a program created by the U.S. Department of Defense (DoD) to protect the Defense Industrial Base (DIB) from cyber attacks and augment the protection of sensitive information, such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), within its supply chain. This program has its own framework consisting of cybersecurity requirements to which entities seeking to do business and/or enter into a contract with the DoD will soon be required to comply and be certified against.

Recently, the DoD updated the CMMC framework to version 2.0. This updated version, consists of three maturity levels containing practices based on established cybersecurity requirements and regulations, such as NIST SP 800-171, Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, etc. Third-party assessments are required for certain levels of certification and must be performed by a CMMC Third-Party Assessment Organization (C3PAO).

Currently, this framework is in the rulemaking process which takes about 9-24 months and will result in the finalization and enforcement of these requirements in DoD contracts. This information is subject to change until the conclusion of the rulemaking process.

Interim DFARS Rule

The interim Defense Federal Acquisition Regulation Supplement rule (DFARS 252.204-7021) is a major rule change which went into effect on 11/30/2020. This rule change adds three new clauses to the original one which mandates compliance with NIST 800-171 for entities handling CUI. Two of the new clauses introduce and establish the CMMC requirements. The third one requires companies handling CUI to complete a self-assessment or Basic Assessment. This must be done using the DoD Assessment Methodology and a score must be generated. This score along with the gap remediation date into the Supplier Performance Risk System (SPRS). When the contract is awarded, a DoD contracting officer will verify the uploaded score. The DoD will then perform risk-based assessments to determine which company will be awarded the contracts. The rule extends all the above requirements to any subcontractors.

FAQs

What level of CMMC Certification is needed?

Level 1 certification will be required for all companies and institutions in contract with the DoD. Level 2 certification will be required for any contract handling CUI. At present, Drexel University plans to acquire a Level 2 certification.

What is a "C3PAO"?

A “C3PAO” or CMMC Third-Party Assessment Organization is an entity certified to provide consultative advice OR certifies assessments.

What is NDAA 889?

The National Defense Authorization Act Section 889 (NDAA 889) is an amendment to the Federal Acquisition Regulation (FAR). It prohibits government agencies from entering, extending, or renewing a contract with an entity using equipment, system(s), or service(s) classified as covered telecommunications and video surveillance equipment or services.

The US Government updates this rule periodically. In addition to the list of companies below and their subsidiaries and affiliates, the list of prohibited entities now includes other entities believed to be owned, controlled by, or connected to either the People's Republic of China or the Russian Federation.

• Huawei Technologies Company
• ZTE Corporation
• Hytera Communications Corporation
• Hangzhou Hikvision Digital Technology Company
• Dahua Technology Company
• Kaspersky Labs




Drexel will have to certify that any equipment, systems, or services used in research or other work with the Government do not contain any covered telecommunications and video surveillance equipment or services covered under NDAA 889. Purchasing equipment and services from these vendors could jeopardize Drexel's ability to receive federal funding.

How does it affect Drexel?

Meeting all CMMC requirements is important in order to remain eligible for DoD research contracts. Not being compliant may impact Drexel’s research status.

Individuals or groups seeking to do business with the DoD should:

• Review the Request for Information (RFI) and Request for Proposal (RFP) for the appropriate CMMC level.
• Ensure the appropriate cybersecurity measures in place for the required CMMC level.
• Possess the appropriate level of CMMC certification before accepting an award.
• Ensure compliance with the NDAA 889 regulation.
• Comply with the interim DFARS rule.

Additional Resources

CMMC:

• DoD CMMC webpage
• DoD CMMC FAQ
• The Cyber AB (formerly CMMC Accreditation Body)
• Federal Register: Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward
• Terminology
  • CMMC Glossary and Acronyms PDF
  • The Cyber AB Terminology in CMMC Ecosystem
    

NDAA 889:

• FAR: Prohibition on Contracting With Entities Using Certain Telecommunications and Video Surveillance Services or Equipment
• DFARS: Covered Defense Telecommunications Equipment or Services (DFARS Case 2018-D022)   
• DFARS Publication Notice 20221028
  

Interim DFARS rule:

• DFARS: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)
• OCD TECH article "The CMMC DFARS Interim Rule Explained"