The Cybersecurity Maturity Model, or CMMC, program has gone through some changes, but as we get closer to the rule being finalized, we wrote this short blog for anyone new to these requirements. You’ll learn about what the requirements are and what is coming down the pike.
CMMC began as a way to secure sensitive US defense information from breaches and theft from our Defense Industrial Base. While there have been requirements in place to protect our controlled and classified information, or CUI, since 2017, but due to reports that these requirements were not actually being met, the DoD decided that more needed to be done to establish a trust but verify approach and THAT’s where CMMC comes into play for our US defense contractors, subcontractors, and suppliers.
So what is CMMC?
CMMC is a program that requires companies that contract with the DoD to undergo evaluation and verify that they are, in fact, meeting the security compliance standards set out by the DoD. Within this program, there are three levels. What type of data you process for the government determines what level of security you must meet as well as what type of evaluation you must undergo.
Let’s talk a little bit more about the levels.
Level 1 is the lowest level and is for companies that only need to process Federal contract information, or FCI, but do not process any controlled and classified information, or CUI. At this level, an organization has 17 requirements they need to meet. This level only requires an annual self-assessment.
At level 2, well, it gets a little more complicated. Level 2 is for companies that process CUI in addition to FCI. Due to the increase in sensitivity of information, these companies must meet 110 requirements. These requirements are based upon NIST SP 800-171 r2 controls. In truth, these requirements should already be in place for companies processing CUI as this has been a DFARS requirement since 2017. However, the change here is the certification process. With the roll out of CMMC, companies seeking Level 2 will now likely need to go through a certification process with an authorized third party to verify that they are, in fact, meeting the requirements. While the language surrounding exactly who at Level 2 can complete a self-assessment and who requires a third-party assessment is dependent upon specific contract requirements, it is generally best to assume that if your organization processes CUI for the DoD, you need to be prepared to undergo certification by a third-party every three years.
Level 3 is the highest level of certification of the CMMC which adds an additional 24 requirements more than Level 2. 110 practices based upon NIST SP 800-171 r2 and 24 from 800-172. Level 3 is for companies with critical CUI or high value assets. This level DEFINITELY requires third-party certification and is conducted by the Defense Industrial Based Cybersecurity Assessment Center, or the DIBCAC. It is expected that most organizations will only need to reach a Level 1 or Level 2 but for those that need Level 3, this raises the bar.
So, when do you need to be ready for CMMC?
The short answer is now.
On October 15, 2024, the Final Rule of CMMC 2.0 was published. On December 16, 2024, the CMMC 2.0 Final Rule comes into effect. Which means we can expect contracts to start demanding certification any day, but especially in early 2025.
Who is involved in the CMMC process?
There is no denying that the CMMC process is complicated, so we wanted to take a break from the regulation alphabet and explain the stakeholder alphabet.
In the CMMC rule, companies with FCI or CUI needing to achieve certification are called Organizations Seeking Certification, OSCs, or Organizations Seeking Assessment, OSAs.
CMMC assessments are completed by Certified CMMC Professionals, CCPs, and Certified CMMC Assessors, CCAs, both of whom have been certified by the CMMC Accreditation Body (CMMC-AB). CCPs and CCAs often work for third-party assessment companies called CMMC third-party Assessment Organizations, or C3PAOs. (Yes, we think of Star Wars and CPO too.) C3PAOs are organizations that have been authorized by the CMMC-AB as well.
Lastly, there are Remediation Professionals, RPs, Registered Practitioner Auditors, RPAs, and Certified Program Managers, CPMs, who help OSCs prepare for the CMMC process. They often work for Registered Practitioner Organizations, or RPOs.
Dragnet has both an RP and a CCP on staff to help you on with CMMC. We know it is daunting. That is why if you’re just starting out on your CMMC journey or you simply know that your team doesn’t have the time or expertise to get ready for certification, please reach out to the squad of experts at Dragnet. Much of our team has been doing this work for decades and we are eager to bring defense grade cybersecurity to all.
Incident Response Plans
CMMC: The Cybersecurity Maturity Model Certification
