CMMC is a standard for implementing cybersecurity. Its framework includes a certification element to confirm processes and practices are in place at your organization. The intention is to protect sensitive unclassified information in the supply chain. All organizations that conduct business with the Department of Defense (DoD) will soon be required to be CMMC certified. For the 220,000 DoD contractors and sub-contractors, this is critical news.
When the Cybersecurity Maturity Model Certification (CMMC) was formally made part of the Defense Federal Acquisition Regulation Supplement (DFARS) in January 2020. The decision sent over 300,000 members of the defense industrial base (DIB), mostly small and midsize businesses (SMBs), into a state of frenzy. Most found themselves drowning in all the unnecessary noise surrounding CMMC and its larger implications on existing and future government contracts.
The CMMC model has 5 maturity levels, and only level 1 will be required to start. CMMC level 1 has 17 requirements which were directly lifted from NIST 800-171. Future DoD contracts will define what CMMC level is required and may require higher maturity levels over time.
The initial implementation of the CMMC will only be within the DoD, and not necessarily for all the Federal non-DoD contracts. However, the DoD is rolling out this requirement in a phased approach until all contracts require certification on September 30, 2025. In this first year of the rollout, only 15 contracts will have this requirement.
Many other organizations across all industries are looking to CMMC as a benchmark for compliance. For example, CMMC and FedRAMP share a common security model. FedRAMP (Federal Risk and Authorization Management Program) is an extensive process requiring a third-party audit to assess the security of Cloud solutions and services used by the U.S. federal agencies.
What is CMMC?
- CMMC, or the Cybersecurity Maturity Model Certification, is a standard for cybersecurity implementation within the Defense Industrial Base (DIB). This framework is responsible for ensuring that Controlled Unclassified Information (CUI) is protected.
- The CMMC framework is mandatory for any organization that contracts with the Department of Defense (DoD). CMMC compliance began in 2020, but the DoD will continue to add new standards into new contracts until all entities are covered by 2025.
What are the five CMMC levels of maturity?
Organizations looking to become CMMC compliant are assessed on five maturity levels:- Level 1: Basic Cyber Hygiene
- This maturity level is structured around protecting Federal Contract Information (FCI), or government information not intended for public release.
- These practices are considered foundational and are required for all higher CMMC maturity levels.
- This level includes 17 basic practices.
- At this level, organizations are required to have documented policies and procedures for CMMC compliance.
- This level helps organizations bridge the gap from level 1 to level 3.
- This level includes 55 additional cyber hygiene practices.
- Certification at this level indicates that an organization possesses the basic capabilities to protect CUI and has effectively implemented the security requirements of NIST SP 800-171, another security framework.
- A level 3 CMMC certification signifies that an organization adequately maintains security activities, policies, and procedures, and demonstrates proper planning to manage certain activities.
- This level requires an additional 59 security requirements from NIST SP 800-171.
- At this level, organizations have advanced cybersecurity practices that can defend CUI from advanced persistent threats (APTs) or malicious long-term attacks.
- Organizations that meet Level 4 CMMC compliance must review and document all cybersecurity activities for effectiveness and report any issues to upper management.
- This level requires an additional 26 NIST SP 800-171 cybersecurity practices.
- Organizations that meet level 5 CMMC requirements are hyper-focused on protecting CUI from APTs through optimized cybersecurity capabilities.
- Organizations at this level are required to continually improve and standardize their cyber hygiene practices across the entirety of their infrastructure.
- This level includes 15 more security activities, bringing the total to 171 practices.
Who assesses CMMC compliance?
- CMMC compliance is assessed by CMMC Third Party Assessment Organizations (C3PAOs). Many organizations work with cybersecurity or CMMC consultants to prepare for their assessment with a C3PAO.
What is DFARS?
The Defense Federal Acquisition Regulation Supplement (DFARS) is an amendment to a series of rules that regulate the DoD and other government agencies’ purchasing of goods and services.
Defense contractors must be DFARS compliant to conduct business with the DoD.
How Can an Organization Become DFARS Compliant?
Organizations must complete and submit self-assessments to the DoD annually. These assessments must include the following:- A System Security Plan (SSP)
- A Plan of Action and Milestones (POAM)
- A CUI Environment Management Team (CEMT)
How are DFARS and CMMC related?
Both DFARs and CMMC have the same goals: protecting CUI. CMMC builds on what was started with DFARs, and the documentation developed while becoming DFARS compliant is essential to advancing through CMMC levels. While there’s some overlap between the two, it’s possible to be DFARS compliant without being CMMC compliant and vice versa.
What’s the Difference Between CMMC and NIST SP 800-171?
CMMC is the vehicle that determines NIST SP 800-171 compliance. CMMC is a third-party assessment required to be certified as NIST SP 800-171 compliant.
I already have NIST 800-171 implemented, what’s next?
Your organization has achieved Level 4 CMMC. If it is appropriate for your organization, then Level 5 CMMC can be achieved with 15 more security activities. Organizations who have achieved Level 5 are hyper-focused on protecting CUI from APTs through optimized cybersecurity capabilities.
Who Will Perform My CMMC Assessment?
CMMC assessments must be performed by an authorized and accredited C3PAO listed on the CMMC-AB marketplace. While IT consultants, Registered Practitioners and other parties can help you prepare for your CMMC assessment, only authorized and accredited C3PAOs can conduct the assessment itself.
How Often Does My Organization Need to Be Reassessed?
A CMMC certification will be valid for 3 years.
What CMMC level Is required for a contract?
The required CMMC level varies. The DoD will tell you what CMMC level is required in Requests for Information (RFIs) and Requests for Proposals (RFPs).
Can a Managed Service Provider (MSP) Help With CMMC Certification?
The short answer is – Yes! CMMC compliance preparation is tedious and resource-intensive, and it can be pricey if key resources like compliance officers and full-time IT staff are not involved. Managed service providers familiar with CMMC and IT in the manufacturing industry can provide strategic and reliable audit preparation. Working with an MSP can help ensure you submit a strong risk score to the DoD, which will help you continue your contract and position your organization favorably for future contracts.
While the DoD works out every little detail about CMMC and puts it out in the open by 2026, you just cannot wait about in anticipation. You must start gearing up to conduct a thorough and accurate self-assessment and do whatever it takes after that to fulfill today’s cybersecurity requirements. This way, you will comply and will also be prepared for every future development with respect to CMMC.
Navigating through the complexities of CMMC can be both complex and overwhelming. Interlink’s experts are ready to both discuss how CMMC will impact your organization and help you facilitate this process.