CMMC

What is CMMC

The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) program designed to protect data in the Defense Industrial Base (DIB). For organizations to secure DoD contracts, they must demonstrate CMMC compliance. The program provides the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for processing controlled unclassified information.

CMMC is largely based on the NIST SP 800-171 standard and maps these controls across organizational maturity levels ranging from basic cyber hygiene to advanced cyber threats. This regulation builds on the existing regulations known as DFARS 252.204-7012 from 2016.

The CMMC 2.0 Program has Three Key Features:

Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for requiring the protection of information that is flowed down to subcontractors

Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.

Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

What data is protected under CMMC?

Federal Contract Information (FCI): FCI is information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service.

Controlled Unclassified Information (CUI): CUI is defined as information that does not carry classified status but needs to be safeguarded due to government policies and laws or ordinances. Examples of CUI relevant to the CMMC include:

• Data on defense, nuclear, and natural resources infrastructures
• Financial records
• International agreements
• Global and domestic defense data
• Provisional and statistical data from governmental agencies

CMMC Certification Process

With the transition to CMMC 2.0, the number of certification levels was reduced from five to three.

Level 1: Foundational

Level 1 compliance will be an appropriate target for organizations that handle FCI, but not CUI. Organizations can conduct an annual self-assessment to show Level 1 compliance. They will need to meet the following Federal Acquisition Regulation (FAR) 52.204.21 cybersecurity requirements.

• Limit information system access to authorized users
• Limit information system to the types of transactions and functions that authorized users are permitted to execute
• Verify and control/limit connections to and use of external information systems
• Control information posted or processed on publicly accessible information systems
• Identify information system users, processes acting on behalf of users, or devices
• Verify the identities of those users, processes, or devices as a prerequisite to allowing access to organization information systems
• Sanitize or destroy information system media containing FCI before disposal or release for reuse
• Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals
• Escort visitors and monitor visitor activity; maintain audit logs of physical access; control and manage physical access devices
• Monitor, control, and protect organizational communications
• Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
• Identify, report, and correct information and information system flaws in a timely manner
• Provide protection from malicious code at appropriate locations within organizational information systems
• Update malicious code protection mechanisms when new releases become available
• Perform periodic scans of the information system and real-time scans of files from external sources

Level 2: Advanced

Level 2 will likely be the most common certification level. It will be split into two groups. Organizations that handle CUI will need to work with a C3PAO to complete certification. Those organizations will need re-certification every three years. Organizations that don’t work with CUI will be able to do an annual self-assessment.

All organizations seeking Level 2 certification need to prove they implemented the requirements of NIST SP 800-171, which consists of the following 14 control domains that contain 110 security requirements:

• Access Control
• Audit and Accountability
• Awareness and Training
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Management
• Security Assessment
• Systems and Communications Protection
• System and Information Integrity

Level 3: Expert

The most rigorous level of certification. Level 3 should be the target for organizations accessing CUI for high-priority DoD projects. For Level 3 certification organizations must meet all the requirements found in NIST 800-172. NIST 800-172 largely mirrors NIST 800-171 but contains enhanced controls in 10 of the 14 families. Assessments for Level 3 certification will be government-led and need to be completed every three years.

The Benefits of CMMC Certification

In 2021, the total value of DoD contracts was nearly $400 billion. For your organization to tap into that potential revenue stream it must be CMMC certified. The CMMC requirement applies to any organization in the DoD supply train, including subcontractors.

How We Can Help

CompliancePoint’s team of cybersecurity experts offers decades of experience your organization can leverage. We can help design and implement controls that will meet all NIST/CMMC requirements. Once implemented, we can help manage your security program on an ongoing basis to ensure continuous compliance.