CMMC will improve CUI security by introducing a formal audit program for compliance. The CMMC framework will associate different security processes and practices to levels 1 through 5. It’s important to note that ANY organization that does business with the Department of Defense must meet all the provisions of the required maturity Level. The previous self-assessment process is being replaced by audits from qualified, accredited 3rd-party organizations (C3PAOs).
What are the CMMC Levels?
The CMMC framework consists of five maturity levels of level 1 through 5 where there is an increasing level of systems controls and process compliance requirements to protect information.
Level 1 is basic cybersecurity hygiene covering systems and process across your company. If you company handles data such as Federal Contact Information (FCI) data then you will at a minimum require level 1 compliance. Level 3 is a moderate level of cybersecurity hygiene similar to that of NIST-800-171 and DFARS 252.204-7012 and will be required if you handle Controlled Unclassified Information (CUI).
Level 5 of the CMMC calls for the most advanced cybersecurity practices within and beyond the perimeter of CUI protection.
Who does CMMC apply to?
CMMC applies to ALL government contractors, primes and subs, who do business with the Department of Defense. This includes over 300,000 organizations that will need to be certified. Previously, federal contractors were allowed to self-certify. With the inception of CMMC, defense contractors must now achieve CMMC certification via a certified and accredited 3rd-party auditor in order to be awarded a defense contract.
When does CMMC go into effect?
As of November 30, 2020, the DFAR 252.204-7012 Rule Change made cybersecurity hygiene foundational to all acquisitions. Provisionally trained CMMC assessors are active as this activates the supply performance risk system. Request for Proposals (RFPs) will now include CMMC requirements of their contractors.
Why is CMMC being implemented?
Previous cyber security measures have failed to protect the United States supply chain. The NIST 800-171 security standard relies on organizations to self-assess their security posture and then report their compliance. It is clear that self-assessment is not reliable and does not offer any safe-guards to verify supply chain integrity. Compliance does not mean that you are secure and will never equal that but compliance will offer the motivation to ensure cybersecurity hygiene and corporate process is brought to a consistent level of implementation. Compliance requires only achieving a level of implementation and making sure items and training are in place. CMMC will serve as a verification tool to ensure appropriate cybersecurity practices are in place.
How do I achieve CMMC compliance?
All defense contractors are required to coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule their CMMC audit. These auditors will review the contractor’s security processes and practices. Based on the security controls in place and the contractor’s ability to demonstrate organizational and operational maturity, the contractor will be awarded a CMMC certification level from one to five (one being the most basic security controls, five being the most stringent and complex security requirements). CMMC will require companies to have the certification to match the level required on the solicitation prior to be awarded the contract.
What is the CMMC Accreditation Body (CMMC-AB)?
The CMMC-AB is responsible for the establishment and oversight of qualified and trained assessors for the Cybersecurity Maturity Model Certification (CMMC) Program.
What is Controlled Unclassified Information (CUI) data?
The DoD defines Controlled Unclassified Information (CUI) as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Additional information on CUI is available in the DoD CUI memo and the National Archives and Records Administration’s CUI Registry. If your organization possesses CUI, you will likely need to achieve CMMC Level 3.
What is Federal Contract Information (FCI) in CMMC?
Federal Contract Information (FCI) is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.” If your organization possesses FCI, you will likely need to achieve at minimum CMMC Level 1.
My Organization is a subcontractor on DoD contracts, do I need CMMC compliance?
Yes, CMMC applies to subcontractors. The level of certification your organization will need will depend upon the type and nature of the information you receive from the prime contractor.
Does my organization need one level of CMMC certification or can areas of our organization be certified at different CMMC levels?
According to the DoD, “When implementing CMMC, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for a particular segment(s) or enclave(s), depending upon where the information to be protected is handled and stored.” Organizations can choose to achieve a base level of CMMC for their entire organization and be certified at higher levels for certain enclaves as contracts require.