Connecting state and local government leaders
The Colorado Office of the State Auditor wants to be sure that agencies that receive funding from the Defense Department can meet DOD’s Cybersecurity Maturity Model Certification requirements.
To determine if select agencies’ security posture is mature enough to continue to receive funding from the Defense Department, the Colorado Office of the State Auditor wants an evaluation of their Cybersecurity Maturity Model Certification readiness.
DOD’s CMMC program is designed to head off evolving security threats by incorporating National Institute of Standards and Technology cybersecurity requirements into defense acquisition programs. CMMC applies to the defense industrial base, which includes all organizations and facilities that provide materials, products and services to DOD.
In Colorado, the Department of Military and Veterans Affairs, the Governor’s Office of Information Technology and the Colorado State University System receive DOD funding and would be subject to CMMC, according to a May 12 request for proposals.
- The DMVA, which delivers “land, air, space and cyber power in support of state and federal operations,” is also responsible for the safekeeping of military records, according to the RFP. It receives the majority of its funding directly from DOD and is responsible for administration of those funds. For fiscal year 2022, DMVA spent approximately $26.2 million in federal awards, and about 90% of its FY 2023 appropriation comes from federal funds.
- The Governor’s Office of Information Technology is DMVA’s IT service provider. OIT also oversees executive branch department technology initiatives and provides information security, network security and management as well as data center operations.
- The Colorado State University System’s Division of Information Technology manages IT and enterprise-level services across three universities—Colorado State University-Fort Collins, CSU-Pueblo and the online university CSU-Global Campus. In fiscal year 2022, the universities received more than $95 million in grants from DOD.
The state auditor is requesting an IT performance evaluation to determine whether those organizations are adequately prepared for the CMMC Model 2.0 requirements.
CMMS Model 2.0 has three certification levels. Level 1 certification is necessary for industrial organizations that want to bid on DOD contracts and handle only federal information related to the contracts and not critical to national security. Annual self-assessments will be required.
Level 2 certification is aligned with NIST SP 800-171: “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” Defense contractors managing CUI critical to national security will be required to have third-party assessments every three years; others may conduct self-assessments.
Level 3 assessments focus on controls around protecting CUI from advanced persistent threats and are designed for organizations working with such information on DOD’s highest priority programs. Reviews will be conducted against a subset of NIST SP 800-172: “Organizations Enhanced Security Requirements for Protecting Controlled Unclassified Information.” A government-led assessment must be conducted every three years.
The Colorado state auditor wants an evaluation to assess whether the DMVA, OIT and the CSU System’s cybersecurity posture is adequate and whether the state “has taken sufficient steps to help ensure that the State will not lose current and future DOD funding, be in breach of DOD contracts, or be in violation of the federal False Claims Act,” the RFP stated.
The contractor will be responsible for planning and conducting the evaluation and preparing a report.
Proposals are due July 7.