TL;DR: CMMC for multiple CAGE Codes: Can a company file one SSP in the DoD’s SPRS that covers multiple subsidiary CAGE Codes? The answer depends on the degree of vertical IT integration. “One SSP for All” doesn’t work when mergers & acquisitions fuel growth and vertical IT system integration lags.
KLC Consulting finds compliance efficiency opportunities by inheriting common controls, policies, and procedures.
A CAGE Code – Commercial and Government Entity Code – is a five-character alpha-numeric, unique identifier assigned by the Defense Logistics Agency (DLA). Your CAGE code would be the first question a prime contractor asks you if you are a new subcontractor to them. That’s because it is integral in the establishment of security requirements for any project that involves defense contracts, especially secured information, (FCI/CUI/CMMC).
A company must obtain a CAGE Code to do business with the federal government. A CAGE Code is assigned to each separate operation of a company and can be applied to almost any product or service they offer. Since 2014, CAGE codes have been required for federal government contractors to create a uniform, national system for tracking hardware, software, and technical data when transferring such items between DoD contractors and DoD components.
CAGE Code Requirements for Multiple Locations
A company can have one or more CAGE codes. When the DOD contracts with an organization, they identify the organization by its CAGE code. In DFARS 7012, 7020, and CMMC, The DOD expects DIB contractors doing business as prime or sub-contractor to create a System Security Plan (SSP). By registering your CAGE Code, you will be able to win more government contracts and gain valuable new clientele.
What if I have more than one?
The DoD requires you to have an SSP to satisfy the DFARS requirements. This doesn’t necessarily mean you have to create a unique SSP for each CAGE Code. However, you must have an SSP to support each CAGE Code. For instance, if you have 10 CAGE Codes, and they perform very similar functions and are on the same network, you may be able to include them into one information system and create one SSP to cover all 10 CAGE codes. Moreover, If your company has seven CAGE Codes that perform the same function, and three CAGE Codes are under a newly acquired subsidiary, you might satisfy DFARS and CMMC requirements with two SSPs.
Only large companies have more than one CAGE Code?
No, not necessarily. Some companies have a different CAGE Code for each business unit. They believe they can manage contracts more efficiently this way. A small firm with 50 people could have three CAGE Codes. They may not need to create three different SSPs if all three CAGE Code entities (CCEs) have the same controls and processes. They can create one SSP to support three CCEs.
CMMC for Multiple CAGE Codes
Can I use one SSP?
The DFARS Security Requirements do not specify a method for grouping CAGE Codes. It is up to you to determine how you would like to group your SSPs. You can group them by business functions, programs, the type of products you provide, etc. As long as you can articulate how you logically group the CAGE Codes and create a set of controls in an SSP to support them, you will be OK.
Where do I find my CAGE Code?
You can find your CAGE code at cage.dla.mil
Once you understand the CAGE Code(s) within your company, what they do, how DoD and your firm uses them, and how your company organizes and logically groups them, you will be able to create accurate CUI Scope and Boundary. This means you will be able to manage your SSPs efficiently and effectively. You will set your company up to gain more DoD contracts and win new valuable clients by registering your CAGE Code.
Help with CMMC for Multiple CAGE Codes
KLC Consulting is a Cyber AB cleared C3PAO candidate. We provide Cyber DFARS and CMMC Consulting services. We find the compliance efficiencies available to large companies with multiple CAGE codes. Opportunities exist through the inheritance of SSPs, controls, policies, and procedures among parent and subsidiaries. We specialize in Cyber DFARS and CMMC compliance. And our staff include Certified CMMC Professionals and Advanced CMMC Registered Practitioners with Fortune 500 experience in government contracting.
KLC Consulting helps create Cyber DFARS and CMMC compliance strategy for Fortune 500 companies.
Our Cyber DFARS and CMMC compliance strategy program for Fortune 500 companies includes:
- A 1-hour briefing delivered to the decision makers from each business division with time for q-a. They’ll come away with a high-level understanding of FCI, CUI, Cyber DFARS, COTS Exemptions, and CMMC requirements to inform their decisions.
- A review and summary of your DoD contract revenue by CAGE Code Entity. Efficiencies exist among parent-subsidiaries although each has Cyber DFARS and CMMC compliance requirements.
- A cost-benefit analysis of DoD contract revenue against the cost of a CMMC Gap Analysis for each CAGE Code Entity. This guides the decision on whether pursuing Cyber DFARS and CMMC compliance is a sensible business decision for each CAGE Code Entity.
- An evaluation of the optimal ways to inherit CMMC controls, policies, and procedures among CAGE Code Entities to minimize compliance program effort and cost.
- A product line review to consider COTS Exemption opportunities.
- A determination of the most efficient course to obtain BOTH CMMC Level 1 and Level 2 for CAGE Code Entities when required by Cyber DFARS and CMMC.