The "Cybersecurity Maturity Model Certification" (CMMC) is a new DoD program to verify that contractors are protecting their unclassified information. This includes safeguarding contract-related information categorized as "controlled unclassified information" CUI and or "federal contract information" FCI.
In the past, only companies with contracts involving the handling of CUI had to meet cybersecurity requirements. This required them to put in place the NIST SP 800-171 family of cybersecurity controls (see DFARS 252.204-7012). These companies would "self-attest"
to having met their cybersecurity requirements. Any requirements not implemented were documented in a plan of action & milestones (POA&M) to be completed later. All their security controls were documented in a system security plan (SSP).
With CMMC you can no longer "self-attest" to meeting your DoD cybersecurity requirements. You will undergo a third-party assessment that will determine if you meet your contract's cybersecurity requirements. There are five CMMC levels, with one being the easiest and five being the most difficult.
2. Who does CMMC Apply To?
CMMC requirements will apply to over 300,000 companies with DoD contract. However, there is an exception for companies selling Commerical-Off-The-Shelf (COTS) products. ALWAYS CHECK YOUR CONTRACT to determine if CMMC applies to you. Requirements will begin to appear in RFIs in mid 2020 and in RFPs in late 2020. The DoD hopes to have all 300,000 companies in the defense industrial base certified within the next 5 years.
3. Do Non-DoD Contracts Require CMMC?
As of yet, non-DoD contracts do not require CMMC. There has been talk that the rest of the federal government may adopt it in the coming years.
4. What happened to NIST SP 800-171?
Much of NIST SP 800-171 has been integrated into CMMC. As a matter of fact, almost all the controls for CMMC levels 1-3 are drawn from NIST SP 800-171.
5. What is the difference between CMMC & NIST SP 800-171?
CMMC comes with a new cybersecurity framework. It includes "practices" and "processes". Practices are the security controls your company needs to implement. Processes are how your company impelemnts its practices. The more "institutionalized" your processes are, the more mature your cybersecurity program is. CMMC will gauge your company's cybersecurity maturity level. There are five maturity levels. Maturity levels are new with CMMC, NIST SP 800-171 did not have maturity levels.
6. What are the CMMC Levels?
There are five CMMC levels. Most contractors will have to meet level one or two CMMC requirements.
Level 1: perform 17 cybersecurity practices.
Level 2: perform and document 72 practices.
Level 3: perform, document, and manage 130 practices.
Level 4: perform, document, manage, and review the effectiveness of 156 practices.
Level 5: perform, document, manage, review, and optimize 171 practices.
7. How do I know which CMMC Level Applies to Me?
If you currently have DFARS clause 252.204-7012 in your contract you will likely have a CMMC requirement of level 3 or higher. If you do not have any cybersecurity requirements associated with your DoD contract you will likely have a level one or two requirement. To be sure to always check your contract.
8. How Can I Become CMMC Certified?
You need to undergo an official CMMC assessment by a certified third party auditor. As of now (May 2020) this is not possible because there are no certified third-party auditors. The certification process will become clearer in the coming months.
9. Will the DoD Pay for My Certification?
The DoD said that "the cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.". Translation: The DoD is only paying for your CMMC certification. They are not paying for the cost it takes to actually implement your cybersecurity requirements. So all your man-hours, software licensing, and equipment costs will be on you.
If you have a DoD contract requiring the implementation of NIST SP 800-171 (DFARS clause 252.204-7012) then continue implementing it.
If you have a DoD contract that doesn't have DFARS clause 252.204-7012 you should start implementing CMMC level 1. These are practices you should be doing anyway and will prepare you in case you have to implement a higher CMMC level.
How We Can Help
We simplified CMMC preparation into a three-step process with an easy to use web app. Via our app, our cybersecurity team conducts a gap analysis of your cybersecurity program and creates a project plan for meeting your CMMC requirements.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.