What are the implications of CMMC if a DoD contractor leverages outsourced IT services for processing and/or storing CUI?

Contractors can outsource IT services, but they cannot avoid accountability for those IT services being compliant with CMMC requirements.  In short, any IT service provider used for processing, storing, or transmitting CUI needs to comply with all CMMC requirements.  DoD and the CMMC-AB are still figuring out the terms of reciprocity for CMMC in terms of IT service providers that have other accreditations (like ISO 27001 or FedRAMP), but the particulars are not yet known.  For now, CMMC Level 2 contractors can establish the compliance of their IT service providers in two ways: 1) Ensure the IT service is obtaining their own CMMC certification, which in turn allows the contractor to simply inherit controls that are the responsibility of the service provider without having to do anything else; or   2) include the IT service provider in the scope of the contractor’s CUI Boundary.  This means that the IT service provider will need to provide potentially significant levels of documentation, evidence, and possibly interviews to support the contractor’s CMMC assessment.  Keep in mind that if the IT service provider fails to fully implement the requisite controls, it is the contractor that is responsible for ensuring these control “gaps” are addressed or risk being denied certification.

 

The bottom line is that DoD contractors are on the hook to ensure that all their IT service providers meet all CMMC requirements before access is provided to CUI.  Control practice AC.1.03 requires contractors to “verify … connections to and use of external information systems,” and this includes IT service providers.  The requirement to “verify” those connections includes the responsibility for ensuring that all CMMC and other DFARS requirements are met if external IT service providers are used.

 

Besides ensuring compliance of IT service providers with CMMC control practices and maturity processes, contractors should not lose sight of other DFARS requirements that could impact the use of any third-party service providers.  For example, the DFARS 7012 Safeguarding clause requires that contractors can use external cloud services for CUI only after requiring and ensuring that the cloud services meets security requirements equivalent to FedRAMP moderate and complies with additional requirements for incident handling, media protection, etc.  DoD contractors that use cloud-based systems for CUI processing, storage, and/or transmission need to “require and ensure” that their cloud service providers meet these requirements.  It goes without saying that security requirements equivalent to FedRAMP moderate significantly exceed the requirements for CMMC level 2 or NIST SP 800-171.  However, it is important to clarify that this does not require a contractor’s CSP to achieve a full FedRAMP authorization.  SecureIT can help clarify for DoD contractors or CSPs that provide services to DoD contractors how this DFARS 7012 requirement can be met.  Please contact us for additional details.