Out of Scope, Out of Mind. A CMMC Compliance Guide for DoD Contractors.
Decoding CMMC ruling for CUI Access.
Cybersecurity is a priority for the U.S. Department of Defense (DoD). It is also increasingly top of mind for the ~220,000 contractors and subcontractors that comprise the DoD’s multi-tier supply chain – also known as the defense industrial base (DIB). These entities are actively being targeted with cyber-attacks from nation-states and other malicious actors whose goal is to steal intellectual property, Federal Contract Information (FCI), and Controlled Unclassified Information (CUI) shared with DIBs.
Given this growing reality, the DoD developed 32 CFR Part 170, or the Cybersecurity Maturity Model Certification, CMMC Program. The CMMC assessment will be used to evaluate existing DoD cybersecurity requirements, with the goal of strengthening DIB cybersecurity standards and better safeguarding DoD information integrity.
Published on 15-OCT-2024, and effective 16-DEC-2024, CMMC compliance language is expected in contracts as of 1Q2025. The 48 CFR part 204 CMMC Acquisition rule (updated 11-OCT-2024 – Section 204.7500) will allow the DoD to require adherence to a specific CMMC certification level in a solicitation or contract.
When CMMC compliance requirements are applied to a solicitation, contracting officers will not 1) make an award, 2) exercise an option, or 3) extend the period of performance on a contract, unless the offeror or contractor has passing results from a current certification assessment or self-assessment for the CMMC level.
An affirmation of continuous compliance with the security requirements in the Supplier Performance Risk System (SPRS) for all information systems that process, store, or transmit FCI or CUI during contract performance is also required. Furthermore, the appropriate CMMC certification requirements will flow down to subcontractors at all tiers when the subcontractor processes, stores, or transmits FCI or CUI.
Where Does Hypori Fit In?
Hypori enables secure virtual access, using proven cybersecurity practices, from any mobile device to enterprise apps and data (e.g., CUI or FCI). Trusted by the DoD and Intelligence Communities, Hypori is built on a zero-trust architecture and is certified at the highest levels of security. Hypori’s commitment to security, risk management, high-level security controls, and privacy using virtualization technology enables easy onboarding at scale and improves bring-your-own-device (BYOD) user adoption.
The Hypori CMMC Cloud within AWS protects customers from data loss due to system compromise at the edge. It is delivered under the exact specifications of our Hypori IL5 SaaS Platform. This platform has successfully passed numerous DoD, Commercial, Intelligence Community, and internal security reviews of our component architecture, which continue on a regular basis.
NOTE: You can find valuable resources in the Hypori Trust Center, including the Shared Responsibility Model and Customer Responsibility Matrix that provides the required documentation for Hypori as a Cloud Service Provider.
The Hypori App is a Virtual Mobile Infrastructure (VMI) client, where VMI is technically equivalent to a Virtual Desktop Infrastructure (VDI). The Hypori (VMI) App, which the endpoint is hosting, is designed/configured to not allow any processing, storage, or transmission of CUI or FCI beyond the keyboard, video, or mouse sent to the VMI client. Per Table 3 §170.19(c)(1) [Level 2], and Table 5 §170.19(d)(1) [Level 3] in 32 CFR Part 170 published 15-Oct-2024 in the Federal Register, the edge device that the Hypori App is installed on is considered out-of-scope, and there are no documentation requirements. Thus, the Hypori App enables you to access CUI and FCI from an edge device as part of your BYOD program, while eliminating any concerns that your edge device is classified as a contractor risk managed asset (CRMA).
In contrast, edge devices that run MDM/MAM solutions and access CUI or FCI are considered in-scope. They classify as Security Protection Assets and require the implementation of all relevant Level 2 practices. The edge devices are likely to be considered a contractor risk managed asset (CRMA) which could trigger a CMMC assessment. MDM also presents a spectrum of liability and exposure issues, and invades user privacy. These details were previously explored in the Hypori blog post entitled “SMB DIBS Guide to CMMC Compliance: Essential Checklist for Cybersecurity”.
For more detailed technical information, including the Hypori CMMC Cloud Shared Responsibility Model that provides customers with the specific controls they inherit from the Hypori CMMC Cloud to meet CMMC compliance requirements, contact info@hypori.com.
Quick Reference CMMC FAQ: New CMMC Compliance Ruling
Who does the CMMC compliance ruling impact?
The CMMC ruling impacts the U.S. Department of Defense (DoD) contractors and subcontractors in the defense industrial base (DIB). This includes approximately 220,000 entities that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
When was the new CMMC compliance ruling published?
The ruling was published on October 15, 2024. It can be found on the Federal Register website here.
When will the ruling go into effect?
The ruling will go into effect starting December 16, 2024, with CMMC requirements expected in any DoD contract by Q1 2025.
What are the consequences of not being CMMC certified?
Contracting officers will not award, exercise an option, or extend the period of performance on contracts unless the offeror or contractor has a current certification assessment or self-assessment for the required CMMC and compliance level. This also applies to subcontractors handling CUI or FCI.
How does CMMC certification apply to subcontractors?
Subcontractors at all tiers that process, store, or transmit FCI or CUI must meet the appropriate CMMC certification requirements, which will flow down from the prime contractor to all lower tiers.
What is Hypori’s role in helping organizations meet the CMMC requirements?
Hypori enables secure virtual access to enterprise apps and data (such as FCI and CUI) from any mobile device, protecting sensitive information with its zero-trust architecture. Hypori’s technology ensures that edge devices using its Virtual Mobile Infrastructure (VMI) remain out-of-scope, simplifying compliance with CMMC compliance requirements.
How does Hypori’s solution differ from traditional MDM/MAM solutions?
Unlike traditional Mobile Device Management (MDM) or Mobile Application Management (MAM) solutions, which require edge devices to implement relevant security practices and may be considered a contractor risk managed asset (CRMA), Hypori’s Virtual Mobile Infrastructure ensures that no sensitive data is processed or stored on the edge device. This eliminates concerns around documentation requirements, data protection and privacy issues.
What does it mean for edge devices to be considered out-of-scope with Hypori?
With Hypori, the edge device that accesses CUI or FCI is considered out-of-scope under the new CMMC compliance regulations, meaning it does not require documentation or specific security measures typically mandated for in-scope devices, making it easier to adhere to CMMC requirements and less burdensome for any organizations.
What levels of security certification and managed services does Hypori offer?
Hypori’s CMMC Cloud, delivered under its IL5 SaaS Platform, is certified at the highest levels of security. This platform has passed numerous security reviews from the DoD, Intelligence Communities, and other organizations, ensuring continuous compliance with security standards.
Managed services are available via a variety of Hypori partners.
How does Hypori protect against data loss?
Hypori’s CMMC Cloud on AWS protects customers from data loss due to system compromise at the edge, ensuring that sensitive data like CUI and FCI never leaves the protected virtual environment.
Jeff Aliber is Hypori’s Head of Product Marketing. Colby LeClerc works in Hypori’s Office of the CSO and is a Certified CMMC Professional (CCP).
