What is the Cyber Security Model Certification (CMMC)?
The CMMC (Cybersecurity Maturity Model Certification) is a certification program that provides a unified approach to cybersecurity for the U.S. DIB (defense industrial base). It is part of an evolving program, part of which is presently in effect. The program is expected to be fully implemented by May 2023.
The CMMC program is designed to improve the cybersecurity posture of companies that do business with the U.S. DoD (Department of Defense). Since January 1, 2018, DFARs (Defense Federal Acquisition Regulation Supplement) contracts that include clause 252.204-7012 have required contractors to provide adequate security on all covered contractor information systems by completing and filing an SPRS (Supplier Performance Risk System) report.
Who does the CMMC apply to?
The CMMC requirements impact all DoD contractors and their suppliers that have the cybersecurity clause in their contract. It is expected that all DoD contracts will have the mandatory clause by May 2023. The clause DFARS 252.204-7021 has the following requirement: “The Contractor shall have a current (i.e. not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract.” The CMMC level is specified in the solicitation and in any RFIs (Requests for Information), if used. Contractors are required to include DFARS 2521.204-7012, including subcontracts or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information.
Although DoD contractors have been required to comply with NIST 800-171 since January 1, 2018, through the SPRS process, there are now new requirements. These new requirements or categories have created specific types of controls that apply to contractors that handle certain types of information. This will apply to companies processing ‘FCI (federal contract information)’ and CUI (controlled unclassified information).
- Level 1 applies to basic safeguarding of FCI
- Level 2 is about protecting CUI
- Level 3 is about protecting CUI from APTs (advanced persistent threats)
Why has the CMMC been introduced?
The CMMC was developed to step up measures for protecting the U.S. defense supply chain. Its objective is to standardize cybersecurity controls and ensure that risk-based and effective measures appropriate to the contractor are in place to protect FCI and CUI on contractor systems and networks. CMMC was also developed to ensure accountability for adoption of controls.
Version 2 of the CMMC was released in November 2021.
Why do we need the CMMC if we already have DFARS?
The DFARS and the FAR (Federal Acquisition Regulation) are administered by the DoD. The DFARS is a regulation, a subset that implements and supplements the FAR. The DFARS contains requirements of law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures that have significant effect on the public. The DFARS should be read in conjunction with the primary set of rules in the FAR. The CMMC will be a regulation that is a part of and a subset of the DFARS.
The CMMC was introduced in response to the slow adoption rate of the cybersecurity sections in the DFARS, false compliance claims, and wide-ranging non-compliance among contractors.
How does the CMMC differ from NIST 800 171?
The CMMC framework helps organizations establish processes and procedures that comply with national security requirements. NIST SP 800-171 includes 110 controls that are now included in process maturity levels. For more information on the levels of certification, see below.
Under CMMC, the “Advanced” level (Level 2) will be equivalent to NIST SP 800-171.
The international information security standard, ISO 27001 (and control guidance contained in ISO 27002), can bring you most of the controls required for CMMC Level 2.
ISO 27001 is already a certifiable standard, and organizations that have achieved ISO 27001 certification will be in good standing to comply with the first two levels of the CMMC.
What levels of certification are there for the CMMC?
- Foundational: Based on 17 controls in FAR 52.204-21
- Advanced: Includes all control requirements in NIST SP 800-171
- Expert: Still to be determined but is expected to be based on all control requirements of Level 2 plus a subset of NIST SP 800-172”
Which contractors and sub-contractors are required to comply with the CMMC?
The CMMC requirements impact all DoD contractors and their suppliers – a new, formal certification is required for companies contracting with the DoD.
Although DoD contractors subject to DFARS 252.204-7012 have been required to comply with NIST 800-171 since January 1, 2018, new requirements will apply to companies processing FCI and CUI.
- Level 1 applies to basic safeguarding of FCI
- Level 2 is a transition step to protect CUI
- Level 3 is about protecting CUI and reducing the risk of APTs
How do you prepare for a CMMC audit?
The first step is to identify the type of government data that your entity deals with, either directly or through a business partner. Differing levels of compliance may be needed, depending on whether an organization processes FCI and/or CUI. Most of these requirements can be found in the contract between the prime contractor and the DoD or the contract between your entity and the prime contractor.
From there, an organization can conduct a gap analysis against existing cybersecurity standards, like ISO 27001 or NIST 800-171. An organization can then plan remediation to resolve any gaps in practice/level or process maturity.
IT Governance USA’s CMMC services
IT Governance USA has a wealth of security experience. For more than 20 years, we’ve helped hundreds of organizations with our deep industry expertise and pragmatic approach.
The Office of the Under Secretary of Defense for Acquisition & Sustainment maintains a CMMC FAQ, which provides updates on the certification process.