Cybersecurity Maturity Model Certification
Details of The CMMC Framework
There will be three cumulative Certification levels to the CMMC:
FoundationalIncludes basic cybersecurity appropriate for small companies utilizing a subset of universally accepted common practices. The processes at this level would include some performed practices, at least in an ad hoc manner. This level includes the same 17 controls outlined in the original CMMC framework, but now only requires an annual self-assessment and affirmation by company leadership.
AdvancedIncludes coverage of all NIST SP 800-171 Rev. 2 controls. Processes at this level are maintained and followed, and there is a comprehensive knowledge of cyber assets. The DoD has pared down the original 130 controls in the original CMMC Level 3 baseline to the 110 controls outlined in NIST 800-171. The DoD is considering a bifurcated process that will identify “prioritized acquisitions” that must undergo an independent assessment against the new Level 2 Advance requirements on a triannual basis versus an annual self-assessment with attestation.
On-site SolutionsIncludes highly advanced cybersecurity practices. The processes involved at this level include continuous improvement across the enterprise and defensive responses performed at machine speed. This level will replace what was formally known as CMMC Levels 4 and 5. Details of this level are still being defined. It is expected that this level will incorporate a subset of controls from NIST SP 800-172 where an organization will have an existing Level 2 CMMC Certification, and the Level 3 controls will be assessed by DoD and not by a C3PAO.
CMMC 2.0 Frequently Asked Questions
Why is CMMC Important
DIB contractors hold and use sensitive government data to develop and deliver goods and services. CMMC helps ensure that they secure this information the same way that military departments and government agencies do.
What’s Different About CMMC?
The U.S. government provided cybersecurity guidance for contractors for many years, but there was no way for contractors to prove how strong their cyber programs were. CMMC introduces a new set of certifications, conducted by third-party assessors. Contractors must achieve certification before they can win future government contracts.
What organizations need to comply with CMMC 2.0?
CMMC 2.0 applies to all third parties within the defense supply chain, including contractors, vendors, and any other contracted third parties related to the support of the department of defense (DoD). All civilian organizations that do business with the DoD must comply with CMMC2.0, based on the type of CUI and FCI that they handle and exchange. The list of entities includes:
- DoD prime contractors
- DoD subcontractors
- Suppliers at all tiers in the DIB
- DoD small business suppliers
- Commercial suppliers that process, handle, or store CUI
- Foreign suppliers
- Team members of DoD contractors that handle CUI such as IT managed service providers
What is the relationship between NIST 800-171 and CMMC?
Compliance with NIST standards are levied as contractual requirements through inclusion of clauses such as FAR 52.204-21 and DFARS 252.204-7012. CMMC requirements result in a contractor self-assessment, or a third-party assessment by a CMMC Third Party Assessor Organization (C3PAO), to determine whether the applicable NIST standard (as identified by the DFARS clause) has been met. Under CMMC 2.0, a Level 2 assessment will be conducted against the NIST SP 800-171 standard and a Level 3 assessment will be based on a subset of NIST SP 800-172 requirements.
Does CMMC apply to all government contractors?
Today CMMC applies only to DoD contractors, and the DoD is now beginning to require certification with certain contracts. In the future, CMMC may apply all non-DoD government contractors as well.
Is this Required by DIB?
CMMC is a certification program introduced to improve supply chain security in the defense industrial base (DIB). By the end of 2025, the DoD will require all contractors to be certified to one of the three CMMC levels.