The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s (DoD) newest verification mechanism designed to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks.
The DoD implemented requirements for safeguarding Covered Defense Information (CDI) and cyber incident reporting through the release of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 in October 2016. The DFARS directed DoD Contractors to self-attest that adequate security controls were implemented within contractor systems to ensure that CDI confidentiality was maintained.
The security controls required to be implemented by the DFARS are defined within National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD (A&S)) started the process of creating the CMMC in March 2019, released the initial draft of CMMC v1.0 in January of 2020, and announced CMMC 2.0 in November of 2021. They also plan to release a CMMC Certification Assessment Process (CAP) guide in June of 2022 as well as the most recent “interim rule” by May of 2023.
CMMC in the Near-Term
CMMC 2.0 will not be required for all contractors immediately and will be phased in for certain DoD-identified contractors once the final rule is in place. When fully operational, CMMC 2.0 will be mandatory for all entities doing business with the DoD at any level. Prime contractors, and their subcontractors, will be required to meet one of the three CMMC trust levels, and demonstrate that cybersecurity has been sufficiently implemented through the completion of independent validation activities. Initial Award, or continuance, of a DoD contract will be dependent upon CMMC compliance.
No contractor organizations will be permitted to receive or share DoD information related to programs and projects without having completed the CMMC process. At the time that a contractor’s contract is up for renewal, they must be CMMC compliant.
The CMMC was included as a component of Requests for Information (RFIs) in mid-2020 as well as in Requests for Proposal (RFPs) in late 2020. CMMC is primarily based on NIST SP 800-171 to create a DoD standard for CUI cybersecurity.
- May 2019: Version 0.1
- July 2019: Version 0.2 identified and reviewed
- September 2019: Version 0.4 released
- October 2019: CMMC implemented requirements released
- November 2019: Version 0.6 was released for public review
- January 2020: Version 1.0 finalized; compliance checklist released
- June 2020: CMMC began appearing in RFIs
- September 2020: CMMC began appearing in RFPs
- November 2020: Defense Acquisitions Regulation System (DFARS) Interim rule became effective, five-year phase in period began
- March 2021: DoD initiated an internal review of CMMC v1.0
- November 2021: CMMC 2.0 was announced
- June 2022: CMMC Certification Assessment Process guide will be released
- May 2023: The Pentagon set to release the new interim rule
Details of The CMMC Framework
There will be three cumulative Certification levels to the CMMC:
• Level 1 – Foundational: Includes basic cybersecurity appropriate for small companies utilizing a subset of universally accepted common practices. The processes at this level would include some performed practices, at least in an ad hoc manner. This level includes the same 17 controls outlined in the original CMMC framework, but now only requires an annual self-assessment and affirmation by company leadership.
• Level 2 – Advanced: Includes coverage of all NIST SP 800-171 Rev. 2 controls. Processes at this level are maintained and followed, and there is a comprehensive knowledge of cyber assets. The DoD has pared down the original 130 controls in the original CMMC Level 3 baseline to the 110 controls outlined in NIST 800-171. The DoD is considering a bifurcated process that will identify “prioritized acquisitions” that must undergo an independent assessment against the new Level 2 Advance requirements on a triannual basis versus an annual self-assessment with attestation.
• Level 3 – Expert: Includes highly advanced cybersecurity practices. The processes involved at this level include continuous improvement across the enterprise and defensive responses performed at machine speed. This level will replace what was formally known as CMMC Levels 4 and 5. Details of this level are still being defined. It is expected that this level will incorporate a subset of controls from NIST SP 800-172 where an organization will have an existing Level 2 CMMC Certification, and the Level 3 controls will be assessed by DoD and not by a C3PAO.
CMMC vs NIST 800-171
It is important that organizations understand that the CMMC 2.0 will require a CMMC 3rd Party Assessment Organization (C3PAO) to perform an independent assessment of their CMMC Level 2 implementation for the security controls protecting CUI data every three years. However, if an organization is seeking a CMMC Level 1 assessment, they can reach compliance through annual self-attestation.
The maturity of a cybersecurity program (policies, plans, processes and procedures to manage the environment where the CUI resides) under NIST 800-171 are assumed to be implemented (NFO controls). But under CMMC they are a key aspect of an assessment. Those policies, plans, etc. provide assurances that the practices are being implemented effectively and in a sustainable manner.
CMMC Domains will also include four additional controls that are not currently covered under NIST 800-171:
1. Asset Management
2. Cybersecurity Governance
4. Situational Awareness
Still have questions? You can find answers to many of your CMMC 2.0 questions here.
How A-LIGN Can Help
A-LIGN is one of only a few globally recognized cybersecurity and privacy compliance providers that offer a single-provider approach for organizations. A-LIGN is an accredited FedRAMP 3PAO with the ability to work with any organization from small businesses to the largest of global enterprises. With our extensive experience in the NIST Risk Management Framework (RMF), NIST SP 800-53, CSF, FISMA/RMF, DFARS, NIST 800-171 and cybersecurity, we can ensure your organization demonstrates the appropriate maturity level in capabilities based on your company’s specific business requirements.