‍

CMMC requirements don’t just apply to Federal primes and their subcontractors – they also extend to all third-party contractors in their ecosystem. Interestingly, these third-party services may not have any direct involvement in defense contracts, but, by proxy, they must still adhere to the same standards.

We can draw parallels from global software and data privacy and security policies that other companies must comply with, to wit: any third-party provider connected to the data falls under the same umbrella. Should a breach occur, the contracting company assumes responsibility for all connected entities and their conduct.

Though the CMMC rules are a sight more stringent, specific, and consequential, the underlying principle is the same. Contracting organizations must ensure that their subs and third-party suppliers meet the same standards in every sense.

So, what does this mean for the DIB and other federal contractors?

In the wake of the final rule, many Level 2 organizations remain in a holding pattern, awaiting their official assessment. Because of the extreme shortage of qualified C3PAOs, we can expect delays and disruption on an unimaginable scale.

Of course, miracles may happen, but given the complexities of compliance, clearing the logjam in a reasonable timeframe seems unlikely.

Do Not Underestimate Third-Party Risks

Many firms—federal contractors among them—are entering one of the riskiest periods they will ever encounter. Beyond the controls they know they need to implement within their own environments, they also need to extend the same effort to ensure their third-party suppliers are similarly aligned.

Considering the complexity of today’s supply chains, the resources and commitment will be significant.

Companies will need to:

• Conduct thorough scoping to identify all in-scope systems and vendors in their supply chain.
• Implement continuous monitoring and frequent vendor reassessment.
• Work with experienced compliance partners to bridge all gaps.

Evaluating third-party risk is an ongoing process. The steps taken during the CMMC readiness process and subsequent assessment should inform your strategy:

1. Map data flows and relationships to understand which of your third-party vendors handle CUI or FCI.
2. Categorize vendors based on risk level, informed by step 1.
3. Assess vendors based on CMMC level NIST controls (17 for Level 1, 110 for Level 2)
4. Review security policies and request documentation as evidence.
5. Conduct penetration testing and vulnerability scanning as needed to identify issues.
6. Prioritize findings by risk severity and likelihood.
7. Document findings and mitigation strategies thoroughly.
8. Include CMMC clauses in all vendor contracts.
9. Use dashboards to track compliance.
10. Periodically review certifications, as applicable.
11. Work with your vendors to support their compliance efforts.
12. Integrate third-party risk management into a continuous lifecycle.
13. Leverage the NIST framework to guide the process.

The Bottom Line

CMMC may currently reside solely in the Federal realm, but the framework has the potential to extend to almost every industry that handles sensitive information. There will undoubtedly be a ripple effect across non-DoD sectors and supply chains.

Overlapping regulatory regimes will add to the complexities, championing the need for a standardized framework to mitigate the ensuing chaos.

Third-party compliance is an integral part of CMMC compliance. A single noncompliant supplier is a vulnerability that can result in disqualification from contracts, severe financial and legal liability in the event of a breach, loss of trust among all connected stakeholders, and supply chain interruptions should a vendor be disqualified for noncompliance.

Speak to an Essendis expert today to learn how you can manage third-party risk, protect your contracts, and stay compliant with CMMC rules.