CMMC is a new Department of Defense (DoD) program called the Cybersecurity Maturity Model Certification (CMMC).
CMMC will improve CUI security by introducing a formal audit program for compliance. The CMMC framework will associate different security processes and practices to levels 1 through 5. It’s important to note that ANY organization that does business with the Department of Defense must meet all the provisions of the required maturity Level. The previous self-assessment process is being replaced by audits from qualified, accredited 3rd-party organizations (C3PAOs).
What are the CMMC Levels?
The CMMC framework consists of five maturity levels of level 1 through 5 where there is an increasing level of systems controls and process compliance requirements to protect information.
Level 1 is basic cybersecurity hygiene covering systems and process across your company. If you company handles data such as Federal Contact Information (FCI) data then you will at a minimum require level 1 compliance. Level 3 is a moderate level of cybersecurity hygiene similar to that of NIST-800-171 and DFARS 252.204-7012 and will be required if you handle Controlled Unclassified Information (CUI).
Level 5 of the CMMC calls for the most advanced cybersecurity practices within and beyond the perimeter of CUI protection.
Who does CMMC apply to?
CMMC will apply to ALL government contractors, primes and subs, who do business with the Department of Defense. This includes over 300,000 organizations that will need to be certified. With the inception of the phased rollout of CMMC, targeted defense contracts must now achieve and flow down CMMC compliance to subcontractors.
When does CMMC go into effect?
The Department is implementing CMMC throughout fiscal year 2021 to 2025 phased rollout approach. Until September 30, 2025, the Office of the Under Secretary of Defense for Acquisition and Sustainment must approve the inclusion of the CMMC requirement in any solicitation. As of November 30, 2020, the DFAR 252.204-7012 Rule Change enabled the inclusion of CMMC on specific acquisitions. During this phased rollout Request for Proposals (RFPs) may include CMMC requirements of their contractors with flow down to subcontractors.
Why is CMMC being implemented?
Previous cyber security measures have failed to protect the United States supply chain. The NIST 800-171 security standard relies on organizations to self-assess their security posture and then report their compliance. It is clear that self-assessment is not reliable and does not offer any safe-guards to verify supply chain integrity. Compliance does not mean that you are secure and will never equal that but compliance will offer the motivation to ensure cybersecurity hygiene and corporate process is brought to a consistent level of implementation. Compliance requires only achieving a level of implementation and making sure items and training are in place. CMMC will serve as a verification tool to ensure appropriate cybersecurity practices are in place.
How do I achieve CMMC compliance?
All defense contractors are required to coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule their CMMC audit. These auditors will review the contractor’s security processes and practices. Based on the security controls in place and the contractor’s ability to demonstrate organizational and operational maturity, the contractor will be awarded a CMMC certification level from one to five (one being the most basic security controls, five being the most stringent and complex security requirements). CMMC will require companies to have the certification to match the level required on the solicitation prior to be awarded the contract.
What is the CMMC Accreditation Body (CMMC-AB)?
The CMMC-AB is responsible for the establishment and oversight of qualified and trained assessors for the Cybersecurity Maturity Model Certification (CMMC) Program.
What is Controlled Unclassified Information (CUI) data?
The DoD defines Controlled Unclassified Information (CUI) as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Additional information on CUI is available in the DoD CUI memo and the National Archives and Records Administration’s CUI Registry. If your organization possesses CUI, you will likely need to achieve CMMC Level 3.
What is Federal Contract Information (FCI) in CMMC?
Federal Contract Information (FCI) is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.” If your organization possesses FCI, you will likely need to achieve at minimum CMMC Level 1.
My Organization is a subcontractor on DoD contracts, do I need CMMC compliance?
Yes, if you are a subcontractor on a targeted defense contract throughout the phased rollout in fiscal year 2021 through 2025 and by September 2025, CMMC applies to you. The level of certification your organization requires will depend upon the type and nature of the information you receive from the prime contractor.
Does my organization need one level of CMMC certification or can areas of our organization be certified at different CMMC levels?
According to the DoD, “When implementing CMMC, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for a particular segment(s) or enclave(s), depending upon where the information to be protected is handled and stored.” Organizations can choose to achieve a base level of CMMC for their entire organization and be certified at higher levels for certain enclaves as contracts require.