Overview of CMMC Mandate
Cybersecurity Maturity Model Certification (CMMC)
The CMMC is is a comprehensive cybersecurity standard, based on the NIST 800-171 framework, that defense contractors must meet to ensure they protect sensitive data properly.
It is designed to protect sensitive information, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), from cyber threats. There are three levels of compliance, focusing on basic cyber hygiene, controlled unclassified information (CUI), and advanced threats.
Failure to comply can lead to serious repercussions such as ineligibility to conduct business with the US Department of Defense (a $900B annual market), potential legal proceedings under the False Claims Act, and increased susceptibility to cyber attacks.
Key Components of CMMC
Maturity Levels
CMMC 2.0 consists of three maturity levels (Level 1 to Level 3), each representing an increasing level of cybersecurity practices and processes. The levels are cumulative, meaning that an organization achieving a higher level must also meet the requirements of the lower levels.
Processes and Practices
CMMC defines specific cybersecurity practices and processes that organizations must implement based on their assigned maturity level. These practices cover various domains, including access control, incident response, risk management, and more.
Third-Party Certification
One significant aspect of CMMC Level 2 is the requirement for third-party assessments and certifications. Organizations seeking to work with the DoD must undergo an assessment by an accredited and independent third-party certifier to verify their compliance with the specified maturity level.
Implementation Timeline
The implementation of CMMC was planned to be phased, with different contracts requiring specific maturity levels. Contractors needed to be aware of the requirements for their specific contracts and ensure compliance within the established timelines.
CMMC 2.0
The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework comprises a set of cybersecurity requirements that Department of Defense (DoD) contractors must meet to protect Controlled Unclassified Information (CUI). These requirements are based on established cybersecurity standards, primarily from NIST SP 800-171.
CMMC 2.0 has simplified the original model, from five levels into three levels of cybersecurity maturity:
Level 1 (Foundational)
CMMC Level 1 Self Attestation requires compliance with the basic safeguarding of 17 requirements to protect Federal Contract Information(FCI) set forth in FAR clause 52.204-21.
Every year, an accountable executive within the defense contractor’s organization will be required to submit a self-attestation of the company’s implementation of the 17 requirements outlined in 32 CFR 170.15 into the Supplier Performance Risk System (SPRS). The initial self attestation indicates affirmation of compliance, and thereafter an annual affirmation of continued compliance as outlined in 32 CFR 170-22 will be required, to ensure the company remains eligible for DoD contract awards.
Level 2 (Advanced)
CMMC Level 2 requires compliance with the 110 security requirements outlined in 32 CFR 170.17 and NIST SP 800-171 Rev 2 to protect Controlled Unclassified Information (CUI).
Level 2 Self Attestation
Every year, an accountable executive within the defense contractor’s organization will be required to submit a self attestation of the company’s implementation of the 110 requirements outlined in 32 CFR 170.16 into the Supplier Performance Risk System (SPRS). The initial self attestation indicates affirmation of compliance, and includes a POA&M closeout affirmation, if necessary. Thereafter an annual affirmation of continued compliance as outlined in 32 CFR 170.22, will be required, to ensure the company remains eligible for DoD contract awards.
Level 2 Certification
CMMC Level 2 Certification requires compliance with the 110 security requirements outlined in 32 CFR 170.17 and NIST SP 800-171 Rev 2 to protect Controlled Unclassified Information (CUI).
Level 2 Certification requires an authorized or accredited CMMC Certified Third-Party Assessment Organization (C3PAO) to validate the implementation of the NIST SP 800-171 Rev 2 security requirements and upload the results into eMASS, which will feed the information into SPRS making the defense contractor eligible for DoD contract award for three years.
Level 2 Certification also requires an accountable executive within the defense contractor’s organization to submit a self attestation of the company’s compliance. The first self attestation indicates an initial affirmation of compliance and includes a POA&M closeout affirmation of compliance (if necessary). Thereafter an annual affirmation of continued compliance as outlined in 32 CFR 170.22 will be required, to ensure the company remains eligible .
Level 3 – Not Provided by SMPL-C
Level 3 compliance is required for companies that work directly with the DoD on critical programs and technologies. The practices for this level are based on a subset of the controls from NIST SP 800-172 (formerly known as NIST SP 800-171B), which provides enhanced security requirements for protecting against Advanced Persistent Threats (APTs). SMPL-C does not offer modules for Level 3.