What is CMMC?
CMMC 2.0 is an update to the Cybersecurity Maturity Model Certification (CMMC) that was initially released in January 2021. It is the Department of Defense’s (DoD) method for requiring organizations in the DoD supply chain to protect federal contract information (FCI) and controlled unclassified information (CUI) to the appropriate level determined (there are three levels in CMMC 2.0). CMMC 2.0 is a restructure of CMMC’s maturity levels by eliminating two of the original five ratings, improved assessment protocols that reduce costs for contractors, and the introduction of a more flexible path to certification through Plans of Action & Milestones (POA&Ms).
As a CMMC Registered Provider Organization (RPO), CTI has built an IT security compliance team that possesses a deep bench of advanced degrees in Cybersecurity and Information Assurance combined with over 20 years of experience supporting DoD programs in information technology, information assurance, and cybersecurity. CTI’s professionals consist of CMMC certified registered practitioners with cybersecurity industry certifications, such as CISSP (Certified Information Systems Security Professional), CISA (Certified Information Security Auditor), SANS GDAT (GIAC Defending Advanced Threats), SANS GCIH (GIAC Certified Incident Handler), & SANS GCFE (GIAC Certified Forensic Examiner) and many others.
Details of The CMMC Framework
There will be three cumulative Certification levels to the CMMC:
FoundationalIncludes basic cybersecurity appropriate for small companies utilizing a subset of universally accepted common practices. The processes at this level would include some performed practices, at least in an ad hoc manner. This level includes the same 17 controls outlined in the original CMMC framework, but now only requires an annual self-assessment and affirmation by company leadership.
AdvancedIncludes coverage of all NIST SP 800-171 Rev. 2 controls. Processes at this level are maintained and followed, and there is a comprehensive knowledge of cyber assets. The DoD has pared down the original 130 controls in the original CMMC Level 3 baseline to the 110 controls outlined in NIST 800-171. The DoD is considering a bifurcated process that will identify “prioritized acquisitions” that must undergo an independent assessment against the new Level 2 Advance requirements on a triannual basis versus an annual self-assessment with attestation.
On-site SolutionsIncludes highly advanced cybersecurity practices. The processes involved at this level include continuous improvement across the enterprise and defensive responses performed at machine speed. This level will replace what was formally known as CMMC Levels 4 and 5. Details of this level are still being defined. It is expected that this level will incorporate a subset of controls from NIST SP 800-172 where an organization will have an existing Level 2 CMMC Certification, and the Level 3 controls will be assessed by DoD and not by a C3PAO.
As a Registered Practitioner Organization (RPO), CTI will help you with the following:
- Prepares organizations for compliance with CMMC Version 2 requirements and NIST SP 800-171 requirements.
- Helps federal contractors achieve compliance with Federal Acquisition Regulation (FAR) Clause 52.204-21 for the implementation of basic cybersecurity controls for CMMC Level 1.
- Conducts gap analysis to identify potential weaknesses in cybersecurity requirements outlined under DFARS 252.204-7012 for the protection of Controlled Unclassified Information (CUI) and FAR Clause 52.204-21 (FCI).
- Partners with organizations to develop a roadmap for compliance, gap remediation, and security architecture.
Benefits of CMMC Readiness Assessment
DoD contractors and sub-contractors will need to work with a CMMC-AB Registered Organization (RPO) like CTI to conduct a CMMC Readiness Assessment. Leveraging CTI’s experience and expertise to guide your strategic CMMC goals will help your organization avoid pitfalls related to complex requirements.
A CMMC Readiness Assessment Will:
- Start your CMMC compliance journey with a CMMC Gap Assessment from a CyberAB RPO could grant a competitive advantage by helping organizations be ready for certification sooner.
- Prepare your organization to meet upcoming CMMC requirements.
- Provide the knowledge and guidance to mature your cybersecurity program.
- Assists organizations with meeting DFARS 252.204-7019 by providing a Supplier Performance Risk System assessment score and System Security Plan.
Let CTI assist your organization in assessing any risks present through our CMMC services so you can secure your private data environment, comply with regulatory requirements, and save time, money, and resources in the process. Contact us today to discuss your unique situation.
CMMC 2.0 Frequently Asked Questions
Why is CMMC Important
DIB contractors hold and use sensitive government data to develop and deliver goods and services. CMMC helps ensure that they secure this information the same way that military departments and government agencies do.
What’s Different About CMMC?
The U.S. government provided cybersecurity guidance for contractors for many years, but there was no way for contractors to prove how strong their cyber programs were. CMMC introduces a new set of certifications, conducted by third-party assessors. Contractors must achieve certification before they can win future government contracts.
What organizations need to comply with CMMC 2.0?
CMMC 2.0 applies to all third parties within the defense supply chain, including contractors, vendors, and any other contracted third parties related to the support of the department of defense (DoD). All civilian organizations that do business with the DoD must comply with CMMC2.0, based on the type of CUI and FCI that they handle and exchange. The list of entities includes:
- DoD prime contractors
- DoD subcontractors
- Suppliers at all tiers in the DIB
- DoD small business suppliers
- Commercial suppliers that process, handle, or store CUI
- Foreign suppliers
- Team members of DoD contractors that handle CUI such as IT managed service providers
What is the relationship between NIST 800-171 and CMMC?
Compliance with NIST standards are levied as contractual requirements through inclusion of clauses such as FAR 52.204-21 and DFARS 252.204-7012. CMMC requirements result in a contractor self-assessment, or a third-party assessment by a CMMC Third Party Assessor Organization (C3PAO), to determine whether the applicable NIST standard (as identified by the DFARS clause) has been met. Under CMMC 2.0, a Level 2 assessment will be conducted against the NIST SP 800-171 standard and a Level 3 assessment will be based on a subset of NIST SP 800-172 requirements.
Does CMMC apply to all government contractors?
Today CMMC applies only to DoD contractors, and the DoD is now beginning to require certification with certain contracts. In the future, CMMC may apply all non-DoD government contractors as well.
Is this Required by DIB?
CMMC is a certification program introduced to improve supply chain security in the defense industrial base (DIB). By the end of 2025, the DoD will require all contractors to be certified to one of the three CMMC levels.