Don’t Wait for CMMC 2.0 to Move to Deltek’s GovCon Cloud

February 06, 2023
Michael Greenman
Michael Greenman
Sr. Product Marketing Manager
Move to Deltek’s GovCon Cloud

Nearly every week, there’s a new article or blog post about CMMC, the Department of Defense’s Cybersecurity Maturity Model Certification program, and whether it will be a contract requirement within months or never going to happen. Deltek isn’t waiting for final approvals by the Federal Government for CMMC to be official, nor should you.

The original intent behind CMMC was to shore up cybersecurity maturity and readiness for the Defense Industrial Base (DIB) against foreign and domestic threats to data security. But long before CMMC 1.0 was proposed in 2020, the Federal Government had been busy drafting and finalizing regulations and security frameworks to accommodate this controversial yet pivotal program to protect our nation’s Controlled Unclassified Information (CUI).

Now with CMMC 2.0 nearly ready for prime time, there are still many misconceptions about what that means for defense contractors. The bottom line is that if you handle CUI today, you should already comply with the security control requirements of NIST SP 800-171, which has been the requirement since 2017. If you have any doubts that you are not compliant, don’t wait until the CMMC requirement shows up in your DoD contracts to risk losing business or receiving financial penalties for non-compliance – contact Deltek today about securing your data in Deltek’s Costpoint ERP in the GovCon Cloud.

Data Protection Requirements (and Penalties) Exist Today

Federal Contracting Requirements specify which standards must be met in every project contract to ensure government contractors comply with the major cybersecurity programs and frameworks. Federal Acquisition Regulation (FAR) 52.204-21 is a contract clause that enforces compliance with protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) by requiring “basic safeguarding requirements and procedures to protect covered contractor information systems.”

All defense contractors are CURRENTLY subject to the guidelines of the FAR and the Defense Federal Acquisition Regulation Supplement (DFARS). Specifically, DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting requires defense contractors to provide “adequate security” for Covered Defense Information (CDI), which is defined as CUI data that is provided to or created by the defense contractor in fulfillment of the contract.

Even though enforcement of these clauses has been somewhat limited, the requirements still exist and there are legal penalties for knowingly providing inaccurate information to the Federal Government. In October 2021, the Department of Justice announced the launch of the Civil Cyber-Fraud Initiative which utilizes the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients, including those who “knowingly misrepresent their cybersecurity practices or protocols, or knowingly violate obligations to monitor and report cybersecurity incidents and breaches.” Since launching, there have been reported cases where contractors have paid hefty fines for misrepresenting compliance with cybersecurity maturity and readiness under this new program.

CMMC: A Brief Background

In 2016, the DFARS clause 252.204-7012 was finalized and began appearing in all Defense contracts requiring all contractors to self-assess and report a cyber maturity score against the security controls of NIST SP 800-171 through an online portal – “Supplier Performance Risk System” or SPRS. NIST SP 800-171 is the security control framework that outlines the recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI).

Many companies subject to DFARS requirements for data protection are likely not assessing their cybersecurity practices adequately for various reasons, including unclear direction from DoD, which is why there has been a push for outside review of these security practices by certified third-party organizations or C3PAOs. This has been validated through industry research and a 2019 GAO report.

When finalized, CMMC will be the program that puts teeth into enforcing DFARS 252.204-7012 and verifying cybersecurity maturity against NIST SP 800-171 security controls. The CMMC certification requirement will also be backed up by CFR Title 32, making enforcement of the rule a Pentagon-level program and not just a contract clause like previous programs.

What This Means for Defense Contractors

Cloud Service Providers (CSP) are required by DFARS 252.204-7012 to meet or exceed federal guidelines and standards for their customers. So, suppose a DIB contractor intends to use an external cloud service provider to store, process, or transmit any CDI. In that case, the CSP needs to meet security requirements equivalent to the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline. The CSP will also need to meet requirements for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment, when working with a government contractor.

Deltek’s Costpoint, a project-based ERP solution purpose-built for government contractors, has implemented all the necessary controls to comply with these contract requirements when delivered in GovCon Cloud Moderate (GCCM). In addition, Deltek has prepared for Certified Third-Party Organization (C3PAO) assessments for FedRAMP Moderate Ready Status and CMMC 2.0 Maturity Level 2 certifications. Moving to Costpoint in GCCM, you will be well-positioned to meet current and future cybersecurity compliance requirements from an industry leader and trusted partner.

Don’t Wait for CMMC to Protect Your Data with Deltek’s GovCon Cloud

Deltek knows you have multiple deployment options when hosting your ERP and company data. But did you know that when you choose a third-party solution like AWS GovCloud, you only inherit a small portion of the necessary compliance controls? However, when you choose Deltek Costpoint in GCCM, you receive application and infrastructure security baked directly into the solution delivery, inheriting approximately 75% of the controls needed for your own CMMC compliance, and award-winning support to ensure you achieve total success.

In addition, Deltek Costpoint ERP in the GovCon Cloud can also help or aid in the protection against:

  1. Ransomware: Protecting your data is Deltek’s top priority. We’ve built the industry’s leading solution with security and compliance in mind, so your team can focus on growing your business.
  2. Natural Disasters: A big advantage of our SaaS delivery is the redundancy and availability of cloud and product expertise when you need it from Deltek’s award-winning support team.
  3. Phishing: By leveraging phishing-resistant MFA technology (FIDO - Fast Identity Online), Deltek improves both the security and usability of authenticated user access.
  4. Nation-State Threat Actors: With Deltek’s GCCM offering your data is protected with the highest cybersecurity standards hosted in the United States and managed by US-only personnel.

With Deltek, you gain a robust and scalable cloud platform and a team of cloud and security experts. Our cloud engineers handle all your maintenance and software updates, enabling your IT teams to focus on meeting strategic business initiatives and continuous business process improvements while delivering Costpoint features as soon as they are available.

So, don’t wait for the government to finalize its plans before you finalize yours. Deltek’s industry-leading solutions delivered in our secure GovCon Cloud is ready to help you achieve cybersecurity readiness and compliance today.

Learn more about Deltek Costpoint in the Cloud visit and explore the delivery options available.