About the Cybersecurity Maturity Model Certification (CMMC) Program
What is CMMC?
CMMC is a major program established by the Department of Defense (DoD), based on NIST SP 800-171, designed to protect the defense industrial base (DIB) against cyber attacks. Per 32 CFR 170.1, the CMMC program establishes policy for requiring defense contractors and subcontractors to implement prescribed cybersecurity standards for safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The CMMC program establishes requirements for conducting an assessment of contractor and subcontractor information systems that process, store, or transmit FCI or CUI and provide security protections for such CUI systems. CMMC Rulemaking Link on federalregister.gov
Who Will Need to Be CMMC Certified?
All Department of Defense prime and sub-contractors who will be bidding on contracts that contain the CMMC DFARS clause will be required to obtain a CMMC certification. Dependent upon RFP and contract language, some RFPs will state that contracts will require the CMMC certification to be in place before the contract is awarded, some within a designated timeframe after award, and some may state that the certification must be in place in order for the bid to be valid. Some prime and sub contractors accessing, processing or storing FCI (but not CUI) may require only a level 1 CMMC attestation. Each RFP and associated contract will specify the level of CMMC compliance required. It is critical to note that becoming CMMC certified takes time and the line of contractors waiting are growing exponentially.
All companies who provide services to the DOD should familiarize themselves with the CMMC certification requirements and how to maintain compliance long-term. The CMMC compliance requirements will flow down to all subcontractors in a multi-tier supply chain. The prime must ensure all subcontractors meet requirements.
CMMC Level 1: Foundational
CMMC L1 requires that companies demonstrate basic cyber hygiene practices and protect Federal Contract Information (FCI). FCI is defined as “”information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.” Includes 17 controls based on segments of NIST SP 800-171.
CMMC Level 2. Advanced.
CMMC L2 includes all components of CMMC Level 1 and additional control requirements to implement good cyber hygiene practices to safeguard both FCI and Controlled Unclassified Information (CUI), including all the current version NIST 800-171 security requirements and processes. Includes 110 Controls based on NIST SP 800-171.
CMMC Level 3. Expert.
CMMC L3 may be achieved AFTER an organization receives a CMMC L2 Certification. CMMC L3 requires optimized processes and practices that detect and respond to changing tactics, techniques and procedures (TTPs) of advanced persistent threats (APTs). Capabilities include having resources to monitor, scan, and process data forensics. CMMC L3 is conducted by DCMA DIBCAC. Includes 110+ Controls based on NIST SP 800-172.
What are the Maturity Levels of the CMMC Certification?
Components of the CMMC Program
The major components of the CMMC Program are shown in the figure on the left. It’s critical to note that the process to obtain compliance is generally 1-5 months depending on complexities within the organization. After certification is obtained, organizations must continuously maintain compliance and be recertified every 3 years.