CMMC Compliance: A Browser-Based Approach

CMMC 2.0 compliance requirements are now officially here. On October 15, 2024, the Department of Defense (DOD) published the Cybersecurity Maturity Model Certification (CMMC) final rule, which will come into effect on December 16, 2024. After the DOD publishes a rule to amend Title 48 of the Code of Federal Regulations (CFR) – the Defense Federal Acquisition Regulation Supplement (DFARS) – CMMC requirements will be included in solicitations and contracts, meaning that CMMC compliance will be required to bid on DOD contracts. Expect to see CMMC requirements in contracts as early as Q1 2025.

This is all to say: now is the time to remain bid compliant while maintaining profitability. If you are a prime contractor thinking about how to manage flow-down requirements, or a subcontractor working on CMMC compliance with limited resources, it’s important to understand what compliance entails and how a new breed of browser is the fastest path to simplifying your CMMC journey.

What is CMMC and why is there a need for CMMC compliance?

The CMMC program is designed to enforce the protection of controlled unclassified information shared by the DOD with its primes and subcontractors. The CMMC program provides the DOD with increased assurance that contractors and subcontractors meet existing cybersecurity requirements for non-federal systems processing controlled unclassified information (CUI). Defense Industrial Base (DIB)  compliance, namely with the cybersecurity controls laid out by the National Institute for Standards and Technology (NIST) special publication (SP) 800-171 and required by DFARS 252.204-7012, will strengthen DIB cybersecurity and better safeguard the Department’s sensitive information.

CMMC Compliance - Key Features of the CMMC Program

• Who must comply: Any member of the DIB that handles Federal Contract Information (FCI) and CUI during contract performance must comply with the CMMC.
• Tiered model: CMMC requires companies entrusted with controlled unclassified DOD information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. 
• Assessment requirements: CMMC third-party assessments provide the DOD with verification that the DIB is meeting cybersecurity standards.
• Condition to contract awards: DOD contractors and subcontractors handling sensitive unclassified DOD information must achieve a specific CMMC level as a condition of contract award and option periods.
• Phased implementation: The CMMC program will be implemented in four phases over three years.

The evolution of CMMC compliance — now what?

The three levels of compliance for CMMC are as follows:

Level 1: Basic safeguarding of FCI

Basic protection of FCI will require self-assessment at CMMC Level 1. Businesses must conduct these assessments annually and enter the results into the Pentagon’s Supplier Performance Risk System (SPRS).

Level 2: Broad protection of CUI

General protection of CUI will require either third-party assessment or self-assessment every three years at CMMC Level 2. This is decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems. Self-assessment versus a third-party assessment will be specified in the solicitation. Organizations must complete their self-assessments every three years, with results entered into the SPRS.

If required, a CMMC Third-Party Assessor Organization (C3PAO) will conduct an assessment every 3 years, with results entered into CMMC Enterprise Mission Assurance Support Service (eMASS). It is expected that most CMMC Level 2 compliance will require a third-party assessment conducted by a C3PAO.

Level 3: Higher-level protection of CUI against advanced persistent threats

A higher level of protection against risk from advanced persistent threats will be required for some CUI. Level 3 contracts will be required to comply with additional cybersecurity controls. This enhanced protection will require a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)-led assessment at CMMC Level 3. 

Organizations must complete their self-assessments every three years, with results entered into the SPRS. Businesses must first obtain tier 2 approval, and assessments are conducted by DIBCAC every three years, with results entered into CMMC eMASS. CMMC status will be valid for three years from the status date.

Implementation timing: Four stages

The DOD intends to implement the CMMC program according to the following structure and timeline:

• Stage 1 – On the effective date of the DFARS final rule in early 2025, DOD will require Level 1 and Level 2 self-certifications as a condition of award. ​
• Stage 2 – One year after Stage 1, DOD will require a third-party assessment for contractors with CUI in most circumstances as a condition of award. These assessments are conducted by a C3PAO.
• Stage 3 – One year after Stage 2, DOD will require Level 2 Certification for option periods and Level 3 Certification Assessment for all applicable DOD solicitations and contracts as a prerequisite for contract award.
• Stage 4 – One year after Stage 3, DOD will include the CMMC Program requirements in all applicable solicitations and contracts, including option periods.

Challenges in achieving CMMC compliance

Achieving CMMC compliance can be a complex, resource-intensive process for organizations, especially for small and medium-sized businesses (SMBs):

Remaining bid compliant while maintaining profitability. Implementing the necessary cybersecurity measures – including advanced encryption, multifactor authentication, and continuous monitoring – often requires significant investment in technology, personnel, and third-party assessments. In fact, the DOD estimates compliance to cost up to $63 billion over 20 years in present value costs (see page 288 of the final rule). 

Understanding and navigating the technical complexity of CMMC requirements may also create difficulties. This is especially true at level 2. While very large prime contractors typically have controls already in place, smaller prime contractors and flowdown subcontractors may be looking at implementing security controls outlined in NIST SP 800-171 and SP 800-172 for the first time, leading to delays and errors in implementation.

The process maturity requirement, which demands formal documentation and regular reviews of cybersecurity practices, adds an extra layer of difficulty. Businesses must not only implement controls, but also demonstrate that they are consistently effective, which can be a time-consuming and ongoing effort. ‍

The multiple implementation stages and levels embedded in CMMC standards mean that organizations must continually adapt and maintain compliance to remain competitive in the defense contracting space.

CMMC compliance flow-down requirements

CMMC flow-down requirements will mandate that any business processing, storing, or transmitting FCI or CUI must comply with CMMC standards. Noncompliance could result in contract termination, loss of contract renewal, and/or an inability to win new contracts. 

Prime contractors are responsible for establishing the correct CMMC level requirements. They also must ensure that their suppliers and subcontractors meet the standards outlined in the appropriate level and that their partners complete and affirm continuous CMMC compliance. Additionally, primes must flow down the CMMC contract clause (i.e., DFARS) in subcontracts under contracts with a required CMMC level, with the only exception being if the subcontract is solely for the acquisition of COTS goods.

Businesses can mitigate their risk by performing audits, requesting SPRS data on subcontractors, and composing contracts that shift the compliance burden to suppliers and subcontractors. To reduce their exposure, businesses should begin to plan for monitoring and enforcing CMMC compliance with their own suppliers and subcontractors. Businesses should identify any information systems involved in working with FCI or CUI to determine the appropriate CMMC level requirement and prepare to report any lapses in security or changes in CMMC level status within 72 hours, which would require notifying the appropriate DOD contracting officer. 

Using an enterprise browser to help achieve CMMC compliance 

The requirements set out in NIST 800-171 are complex, which means no single cybersecurity product can cover every single one. However, one of the most challenging aspects of CMMC 2.0 compliance is the end user and their device, which increases the scope and complexity of audits. And for a prime contractor, the flow-down requirements can create risk.

With an enterprise browser — a web browser designed specifically to meet the unique needs of businesses — the process of keeping CUI in the cloud and compliance intact becomes much simpler and more cost effective.

Through Island, the leading Enterprise Browser, prime contractors can restrict CUI storage to a NIST 800-171 approved location — such as Microsoft Government Community Cloud High (GCC-H) — controlling, limiting, and protecting sensitive data. Prime contractors with multiple tiers of subcontractors can control access to CUI and ensure that CUI does not spread to the subcontractor endpoint.

Island creates an application boundary around authorized users, devices, networks, data, and applications. This boundary applies a set of policies that prohibit users from transferring data onto their devices or into unsanctioned applications. Island’s last-mile controls govern actions such as saving, printing, copying, and pasting. These occur within a familiar browser interface that doesn’t require user training or additional infrastructure.

Island’s Enterprise Browser supports prime contractors and their subcontractors to comply with CMMC in several ways. 

Contains CUI in the prime contractor’s authorized systems: Prevent users from downloading CUI to a local disk, pasting it outside of an authorized application, printing CUI, or otherwise mishandling sensitive data. Island can be installed on any device, making it the perfect solution for protecting your data when flow-down contractors and suppliers access it.

Reduces CMMC compliance cost: Meet the regulatory requirements for a majority of the controls outlined in NIST 800-171. This includes:

• Restricting access to CUI based on identity, location, device, or other factors
• Enforcing policies, such as requirements around device security policy, location, time of day, and more
• Providing full visibility into user actions involving CUI, and sending detailed logs to your preferred storage location
• Share comprehensive audit logs with C3PAO auditors as evidence of CMMC controls

Improves the user experience and usability for employees and flow-down contractors: Island provides a consistent workplace experience for employees and contractors regardless of their devices. In addition to providing the controls that govern how they interact with sensitive data, Island also includes several improvements to the end user experience.

It starts with the managed homepage. Organizations can provide all of the links and information an employee needs – based on their role – right on their homepage. This is dynamically updated, allowing you to roll out new applications and workflows with ease.

Island provides several productivity tools within the browser, which enable efficient user workflows and collaboration. These include a screenshot tool with markup capabilities, PDF editor, and clients for SSH and RDP, among others. Policy enforcement is consistent across the full Enterprise Browser workspace, making it the ideal solution to balance CMMC compliance and workflow productivity.

Secure CUI and simplify audits with Island Enterprise Browser

CMMC compliance is quickly becoming business critical for organizations in the DIB, but navigating its complex requirements can be daunting. With the Island Enterprise Browser, businesses can simplify compliance while maintaining security and productivity — directly through the browser. 

By creating secure application boundaries and embedding robust controls, Island ensures CUI stays within authorized systems, reducing audit scope and risk. For prime contractors managing flow-down requirements, Island offers the tools to enforce compliance seamlessly across subcontractors with a user-friendly design that improves workflows for employees and contractors alike. 

As CMMC requirements phase into contracts, adopting an enterprise browser positions your organization for compliance success.