WHAT IS CMMC EXACTLY?
The Cybersecurity Maturity Model Certification (CMMC) is a new framework that applies to US Department of Defense (DoD) contractors and subcontractors.
CMMC (Cybersecurity Maturity Model Certification) is a system of compliance levels that helps the government, specifically the Department of Defense, determine whether an organization has the security necessary to work with controlled or otherwise vulnerable data.
First published in 2020, CMMC will gradually be implemented over the next five years. Compliance with CMMC will be an integral part of the bid process for DoD contracts. Contractors and subcontractors from across the Defense Industrial Base (DIB) will need to comply with the required CMMC level stated in DoD contracts.
CMMC compliance levels will appear in more and more DoD Requests for Proposals (RFPs) over the next few years. CMMC will also likely be adopted by other US federal departments in the future as a best-practice cybersecurity standard for contractors. Organizations should start planning for compliance today.
The primary goal of the Cybersecurity Maturity Model Certification is to safeguard what is referred to as Controlled Unclassified Information (CUI) across the DoD supply chain. The DoD’s definition of CUI refers to any information or data created or possessed by the government or another entity on the government’s behalf. The interpretation of data is broad here — and can take into account financial, legal, intelligence, infrastructure, export controls, or other information and data.
The CMMS framework incorporates the processes, practices, and approaches for the purpose of standardizing the assessment of a DoD vendor’s capabilities.
CMMC - HOW TO GET STARTED
Here is a CMMC Compliance Checklist
Determine what type of unclassified information your organization will handle.
Identify what CMMC certification level you need.
Work with an MSP (AKA: Partner with Applied Integration) also known as a C3PAO to help you meet CMMC requirements and assist with your NIST Assessment or Do it Yourself using the NIST Self Assessment Guide
Complete the CMMC Assessment Process.
Identify what type of unclassified information your organization will handle.
On December 3, 2021, the DoD released CMMC 2.0 Model Overview. This new model includes the essential protection requirements for FCI specified in the Federal Acquisition Regulation (FAR) 52.204-21 and the security requirements for CUI in NIST SP 800-171r2 according to clause 252.204-7012 of the Addendum to the Federal Regulation on Defense Acquisitions (DFARS).
If you deal with Controlled Unclassified Information (CUI), you will need to meet Level 2 or Level 3 of CMMC.
If you only protect Federal Contract Information (FCI), your requirement will only be for Level 1 of CMMC.
Determine the CMMC certification level you need
The level of CMMC you need to meet depends on the contract under which you are working (CUI/FCI).
Although there were 5 levels in CMMC 1.0 version, the current CMMC model contains 3 maturity levels with the announcement of CMMC 2.0.
The 3 levels in CMMC 2.0 are:
Level 1 (foundational) for companies with FCI only. The information requires protection but is not critical to national security; it requires 17 basic protection practices; CMMC Level 1 Analysis Guide. Also, all Level 1 companies can self-certify.
Level 2 (advanced) for companies with CUI. It will require the 110 practices of NIST SP 800-171r2; may require external or own evaluations, depending on the type of information; CMMC Level 2 Analysis Guide.
Level 3 (expert) for the highest priority CUI programs. It will use a subset of NIST SP 800-172. The Level 3 companies will require a government-led assessment.