There has been a marked increase in the number of Department of Defense contracts and requests for quotes requiring specific Cybersecurity Maturity Model Certification (CMMC) 2.0 levels or referencing Controlled Unclassified Information (CUI) since January.
Increased enforcement of CMMC 2.0 compliance aligns with the drastic changes the White House has made to government contracting to improve oversight of IT and security contractors and resellers.
Previously, DOD struggled to ensure whether contractors — smaller primes and boutique providers, in particular — could secure their data the way it required them to.
CMMC 2.0 is not only a boon for the government but companies such as CDW Government, which is prepared to build in accordance with the framework.
Click the banner below to start complying with CMMC 2.0.
CMMC 2.0’s Impact on Civilian Agencies and States
Civilian agencies will soon have requirements similar to CMMC 2.0. The General Services Administration released a draft IT Security Procedural Guide on Jan. 5 for comment, which focuses on contracts where CUI is involved.
When the civilian side of the government acts on requirements such as these, state governments tend to follow a few years later. Suffice to say, CMMC 2.0 is here to stay, and even companies that don’t do business with the government may soon find they’re losing work if they fail to get out in front of the requirements.
Meanwhile, serving the military and civilian markets will soon be similar, especially where CUI is involved.
While the rules may seem tedious — such as separating customer information from bills of materials (BOMs) — an unintended benefit is ensuring easily scrapable data isn’t available for data mining by foreign adversaries’ artificial intelligence.
Click the banner below for the latest federal IT and cybersecurity insights.
Preparing to Handle Controlled Unclassified Information
CMMC 2.0 faced a hiccup earlier this year because the third-party assessment organizations (3PAOs) required to validate contractors at their desired CMMC levels weren’t validated themselves until the end of 2024. The resulting bottleneck was a problem for contractors without a certified 3PAO already lined up — particularly, smaller solutions providers, which may still be feeling the effects.
Fortunately, CDW had a 3PAO ready and had also prepared for the technology challenges CMMC 2.0 presents the defense industrial base. CMMC 2.0 demands that only U.S. persons touch or have access to CUI data and environments, and large organizations such as CDW can rely on global IT support, especially during off-hours.
CDW met these requirements by spending two years building its own environment, the Secure Enclave, to replace most of its IT functions — email, voice, video, sharing, office tooling and Salesforce — with custom versions. CDW controls access to the Secure Enclave by requiring those requesting it to place a ticket with coworker services, which then investigates whether the potential user is a U.S. person. Additionally, the Secure Enclave has a much more stringent level of IT security controls to ensure data protection.
Collaborating with agency partners is as simple as making sure they have the CDW Government contact info affiliated with the Secure Enclave and directing communication and contracting through the appropriate portal.
