The Cybersecurity Maturity Model Certification (CMMC) is a major Department of Defense (DoD) program built to protect the defense industrial base (DIB) from increasingly frequent and complex cyber-attacks. It focuses on protecting important information that is not classified but still sensitive, specifically controlled unclassified information (CUI), and contract details or technical data, known as federal contraction information (FCI).
CMMC builds upon existing trust-based regulations (DFARS 252.204-7012) by adding a verification component for cybersecurity requirements. Instead of just trusting that these companies and organizations follow the rules for cybersecurity, the CMMC will check and confirm that they do.
The DoD made the CMMC with help from experts and industry partners. DoD's Office of the Under Secretary of Defense for Acquisition & Sustainment [OUSD(A&S)] developed the CMMC Framework, working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and others within the security industry.
The CMMC will affect all DoD prime- and sub-contractors planning to bid on future contracts with the CMMC DFARS clause will be required to obtain a CMMC certification prior to contract award. Some prime- and sub-contractors accessing, processing or storing FCI (but not CUI) will minimally require a Level 1 attestation. A DoD contract will specify which level of compliance a contractor needs to meet.
All DIB members should learn the CMMC's technical requirements not only for certification but for long-term cybersecurity agility. However, DoD recognizes that many DIB members are small businesses that lack the resources of their larger, prime counterparts. As a result, the CMMC Framework incorporates cost-effective and affordable controls for small businesses to implement at the lower CMMC levels.
Overall, CMMC is designed to provide DoD increased assurance that a DIB company can adequately protect sensitive CUI and FCI, accounting for information flow down to subcontractors in a multi-tier supply chain.
CMMC is expected to be codified by the end of 2024 and in contracts in Q1 2025. However, this does not mean that companies should wait to begin a CMMC implementation plan. NIST 800-171, which CMMC is based on, is already required today. Furthermore, CMMC certification does not happen overnight, as you will see below. Now is the time to begin the process.
DoD included in the proposed rule an estimated timeline for the rollout of the CMMC program. Specifically, DoD intends to implement the CMMC program in four phases over two and a half years.
Phase 1 begins on the effective date of DoD’s final CMMC rule (i.e., when DFARS 252.204–7021 is officially revised). During Phase 1, CMMC Level 1 or Level 2 self-assessments become a condition for contract award. This means that contractors must self-assess their compliance with the cybersecurity requirements of CMMC Level 1 or 2 (whichever level is applicable to the contract) to be eligible for award. DoD may also include third-party CMMC Level 2 assessment requirements in certain contracts at its discretion.
Phase 2 begins six months after Phase 1. During Phase 2, DoD will add CMMC Level 2 certification assessment requirements to all applicable contract awards. This means that contractors will need to pass a third-party Level 2 CMMC assessment to be eligible for contracts with the CMMC Level 2 certification requirement. DoD may also include CMMC Level 3 certification assessment requirements in certain contracts at its discretion.
Phase 3 begins one year after Phase 2. During Phase 3, DoD will extend the CMMC Level 2 certification assessment requirement to applicable contracts that were awarded prior to DoD’s finalization of the CMMC rule. This means that DoD will not exercise options on existing contracts unless the contractor has passed a third-party Level 2 CMMC assessment (assuming the CMMC Level 2 requirements are applicable to the contract). In addition, DoD will add CMMC Level 3 certification assessment requirements to all applicable contract awards.
Phase 4 begins one year after Phase 3 and will mark the full implementation of the CMMC program. During Phase 4, DoD will include all CMMC Program requirements in all applicable DoD solicitations and contracts including option periods on existing contracts.
If, hypothetically, the final CMMC rule becomes effective on December 26, 2024 (one year after DoD released the proposed rule), then Phase 1 would begin on December 26, 2024; Phase 2 would begin on June 26, 2025; Phase 3 would begin on June 26, 2026; and Phase 4 (i.e., full implementation) would begin on June 26, 2027.
While two and a half years may seem like a long time, contractors should begin assessing their compliance now, especially if they plan to obtain a third-party certification for CMMC Levels 2 or 3. Contractors who do not meet applicable CMMC requirements could miss out on the opportunity to compete for new contracts or could have their existing DoD contracts end after option periods are not exercised.
Once CMMC 2.0 is implemented, DoD will specify the required CMMC level in the solicitation.
If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.
The definition of FCI is in FAR 52.204-21 and CUI in 32 CFR Part 2002, respectively. The DoD CUI Quick Reference Guide includes information on CUI. In addition, the Defense Counterintelligence and Security Agency (DCSA) also provides answers to Frequently Asked Questions. These FAQs describe the difference between FCI and CUI as follows: “Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. However, while FCI is any information that is ‘not intended for public release,’ CUI is information that requires safeguarding and may also be subject to dissemination controls.”
While two and a half years may seem like a long time, contractors should begin assessing their compliance now, especially if they plan to obtain a third-party certification for CMMC Levels 2 or 3. Contractors who do not meet applicable CMMC requirements could miss out on the opportunity to compete for new contracts or could have their existing DoD contracts end after option periods are not exercised.
Compliance with NIST standards are levied as contractual requirements via inclusion of clauses such as FAR 52.204-21 and DFARS 252.204-7012. The relationship between CMMC and the NIST standards is that CMMC requirements will result in a contractor self-assessment, or a third-party assessment, to determine whether the applicable NIST standard (as identified by the DFARS clause) has been met. The FAR clause states the basic safeguarding requirements for CMMC Level 1 compliance. Under CMMC 2.0, a Level 2 assessment will be conducted against the NIST SP 800-171 standard, and a Level 3 assessment will be based on a subset of NIST SP 800-172 requirements.
Holy cow. This is a lot. So…
The CMMC is designed to enforce protection of sensitive unclassified information that is shared by the DoD with its contractors and subcontractors. The CMMC model is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the Department through acquisition programs.
The scope of the CMMC is defined as the assets within your environment that need to be assessed in order to comply with NIST 800-171 and CMMC standards, while assessment is the overall objective to comply with NIST 800-171 and CMMC standards.
To achieve CMMC compliance, organizations must create a system security plan (SSP) that includes details about each system in their IT environment that stores or transmits controlled unclassified information (CUI) in accordance with NIST 800-171.
CMMC compliance requires organizations to identify, assess, prioritize, and respond to risks while NIST 800-171 focuses on identifying and assessing risks and then developing mitigation strategies.
The DoD manages the CMMC ecosystem, although the re-branding is designed to distinguish itself from the DoD's branding of the CMMC program, the Cyber AB still serves as the sole official partner of the Department of Defense for the registration, accreditation, and oversight of the CMMC Ecosystem.
The CMMC framework links the model to a systemic approach to achieve certification level and consists of several assets—domains (14), and practices (110+) corresponding to the certification level.
An organization must demonstrate basic cyber hygiene practices, such as ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government."
An organization must have an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI, including all the NIST 800-171 r2 security requirements and processes.
An organization must have standardized and optimized processes in place and additional enhanced practices that detect and respond to changing tactics, techniques and procedures (TTPs) of advanced persistent threats (APTs). An APT is an adversary that possesses sophisticated levels of cyber expertise and significant resources to conduct attacks from multiple vectors. Capabilities include having resources to monitor, scan, and process data forensics.
To achieve certification at each level, organizations undergo a third-party assessment by an accredited and certified CMMC assessor who evaluates their adherence to the required practices and processes. The certification demonstrates the organization's commitment to cybersecurity and its ability to protect sensitive information within the defense supply chain.
The specific set of practices and processes required at each level are outlined in the CMMC model documentation, and organizations must align their cybersecurity programs accordingly to achieve the desired certification level.
All DoD prime- and sub-contractors planning to bid on future contracts with the CMMC DFARS clause will be required to obtain a CMMC certification prior to contract award. Some prime- and sub-contractors accessing, processing or storing FCI (but not CUI) will minimally require a Level 1 attestation. A DoD contract will specify which level of compliance a contractor needs to meet.
All DIB members should learn the CMMC's technical requirements not only for certification but for long-term cybersecurity agility. However, DoD recognizes that many DIB members are small businesses that lack the resources of their larger, prime counterparts. As a result, the CMMC Framework incorporates cost-effective and affordable controls for small businesses to implement at the lower CMMC levels.
Working with an organization who can provide CMMC implementation consulting services can assist in identifying gaps and providing mitigation strategies for an Organization Seeking Certification (OSC) while preparing for an assessment. You’ll work with a CMMC Registered Practitioner (RP), who is a cybersecurity professional who helps organizations prepare for and achieve certification in the CMMC framework. RPs work for Registered Practitioner Organizations (RPOs) but can also be contracted as individuals.
An RPO provides advice and guidance to help your organization prepare for a CMMC assessment. A C3PAO (a service provider organization that the CMMC Accreditation Body has accredited and authorized to conduct CMMC assessments and submits findings and certifies that the OSC complies with the CMMC 2.0 maturity level), on the other hand, conducts the actual CMMC assessment and determines your certification level.
While some may consider cybersecurity compliance rules to be a hindrance, there are actually many formal and informal benefits to your company achieving CMMC compliance.
One of the main advantages of achieving CMMC compliance is that it allows your company to work on contracts for the DoD. CMMC is quickly becoming a mandatory prerequisite for doing any work for the DoD involving sensitive information. If your company is involved in any defense contract, you won’t be able to avoid having this kind of certificate.
Given that military contacts account for around $3.4 Trillion of government spending per decade, you can’t afford for your company to miss out on these kinds of contracts.
Another advantage of CMMC is that it facilitates long-term organizational security. By having a standardized security system, you ensure your company’s security doesn’t depend on any specific employee. For example, let’s say you have someone working for your internal local IT support services who manages your company’s security systems.
If that individual bases his work around CMMC standards, this ensures you could easily replace the employee with another worker trained in the same standards.
While it may seem like CMMC is only suited to military-based projects, the certification has a much broader scope. The DoD has based the certification on widely accepted National Institute of Standards and Technology cybersecurity standards.
This means that by complying with the DoD standards, you might also make your company compliant with various other non-military cybersecurity standards. In some situations, you might be able to work on both civilian and military projects using only one set of CMMC standards.
One significant downside to many cybersecurity certification standards is the high assessment costs. The good news is that CMMC can significantly reduce those costs. Under the CMMC 2.0 system, companies operating at level one (and a subset of companies operating at level two) can demonstrate compliance through a self-assessment. Not only does this help to save your company money, but it also reduces how much your company needs to rely on external actors.
CMMC can give your company flexibility and speed when you need it the most. If you’re in a situation where compliance is difficult or impossible, you may be able to contact the government and waive some of the CMMC requirements. While this is only applicable in a limited number of situations, this aspect of CMMC could potentially help prevent your project from going off the rails.
Outsourcing the process to an organization that can provide a true CMMC assessment and not just a check list will provide peace of mind that the process is done correctly. Better still, find an organization that offers CMMC Program Managers to manage the process ongoing, like Dragnet.
NIST/CMMC requires oversight and management by a qualified cybersecurity professional to ensure the organization achieves compliance and sustains the program over time. Dragnet provides the benefit of an active program manager during your CMMC Certification audit.
The NIST/CMMC Program Manager is responsible for assisting the leaders to develop, plan, implement, and maintain a comprehensive governance program designed to ensure the compliance of in-scope Business Units (BUs) with applicable CMMC regulations, DFARS/FARS clauses, and technical standards.
There is an actual requirement in CMMC that requires oversight and control supervision in the Risk management and the Security Assessment family to monitor the implemented system security controls on an ongoing basis. So vendors will either need to staff the headcount to support this or have a virtual Program Manager as suggested to cut costs and meet requirements.
The Cybersecurity Maturity Model Certification (CMMC) is a DoD program that aims to protect the defense industrial base from cyber threats. It requires contractors to comply with one of three levels of cybersecurity practices and processes, depending on the type and sensitivity of the information they handle. The CMMC framework is based on existing standards and regulations, such as NIST 800-171 and 800-172, and incorporates cost-effective and affordable controls for small businesses. The CMMC program will be implemented in four phases over two and a half years, projected to start at the end of 2024. Contractors should start preparing for their CMMC assessment now, as it will affect their eligibility for future DoD contracts and options on existing contracts. Achieving CMMC certification will not only demonstrate their commitment to cybersecurity and protect sensitive information, but also provide them with opportunities, security, flexibility, and reduced costs in the defense contracting market.