CMMC Regulatory

Background

In September 2020, the Department of Defense published an interim rule which effectively required contractors and subcontractors to comply with cybersecurity requirements associated with certain contracts. This rule now known as CMMC 1.0 outlined program requirements designed to ensure that contractors and subcontractors who receive covered defense information implement adequate measures to safeguard government information. 

In 2021, the Department of Defense revised the program to create what is now known as CMMC 2.0. CMMC 2.0 specifies three different compliance levels, each corresponding to the sensitivity of the information to be safeguarded. The program defines the specific controls required at each level and specifies assessment and certification requirements. CMMC 2.0 applies to contractors and subcontractors based on contract.

ProShop Clients and CMMC

Some current and prospective ProShop clients have contractual requirements related to cybersecurity and cloud storage. Specifically, DFARS 252.204-7012 requires contractors to implement controls defined in NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” to safeguard covered defense information, including Controlled Unclassified Information (CUI). These requirements form the basis of the Cybersecurity Maturity Model Certification Program (i.e. CMMC). The CMMC Program, Model 2.0 at Level 2 contains 110 requirements or controls. In general, most ProShop clients require level 2 assessment and certification. But again, the actual assessment level is based on each organization’s contracts. ProShop clients either partially or fully inherit some controls through ProShop ERP due to the nature and application of the controls.

  ProShop clients retain sole responsibility for the remaining controls. ProShop clients receive a Shared Responsibility Matrix related to ProShop’s Cloud Service Offering (refer to proshop fedramp page), which defines the extent of controls partially or fully inherited by the Client from ProShop ERP.

ProShop Clients, CMMC and Professional Services

In addition to ProShop ERP, ProShop USA offers several professional services to support client needs. These services include: remote training, on-site training, consulting, custom development and client support. These services are subject to CMMC requirements because the company will have and need access to client instances that may contain covered defense information, including CUI. 
In fact, DFARS 252.204-7012 specifically requires contractors (e.g. ProShop clients) to flow down the 7012 clause in all subcontracts where the performance of the contract involves covered defense information. In this context and the latest proposed rule, ProShop Clients will flow down 7012 to ProShop USA because ProShop USA is considered a Managed Service Provider. 

In the course of providing these services, the company will have and need access to client instances that may contain covered defense information, including CUI.

ProShop USA and CMMC

ProShop USA is currently in the planning and implementation stages of CMMC and intends to obtain CMMC Certification in 2025.

Book your no commitment Discovery Call

BOOK A CALL
Privacy Policy
Terms of Service
magnifiercrosschevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram