Overview of CMMC Mandate

Cybersecurity Maturity Model Certification (CMMC)

The CMMC is is a comprehensive cybersecurity standard, based on the NIST 800-171 framework, that defense contractors must meet to ensure they protect sensitive data properly.

It is designed to protect sensitive information, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), from cyber threats. There are three levels of compliance, focusing on basic cyber hygiene, controlled unclassified information (CUI), and advanced threats.

Failure to comply can lead to serious repercussions such as ineligibility to conduct business with the US Department of Defense (a $900B annual market), potential legal proceedings under the False Claims Act, and increased susceptibility to cyber attacks.

Key Components of CMMC

Maturity Levels

CMMC consists of five maturity levels (Level 1 to Level 5), each representing an increasing level of cybersecurity practices and processes. The levels are cumulative, meaning that an organization achieving a higher level must also meet the requirements of the lower levels.

Processes and Practices

CMMC defines specific cybersecurity practices and processes that organizations must implement based on their assigned maturity level. These practices cover various domains, including access control, incident response, risk management, and more.

Third-Party Certification

One significant aspect of CMMC is the requirement for third-party assessments and certifications. Organizations seeking to work with the DoD must undergo an assessment by an accredited and independent third-party certifier to verify their compliance with the specified maturity level.

Implementation Timeline

The implementation of CMMC was planned to be phased, with different contracts requiring specific maturity levels. Contractors needed to be aware of the requirements for their specific contracts and ensure compliance within the established timelines.

CMMC 2.0

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework comprises a set of cybersecurity requirements that Department of Defense (DoD) contractors must meet to protect Controlled Unclassified Information (CUI). These requirements are based on established cybersecurity standards, primarily from NIST SP 800-171.

CMMC 2.0 has simplified the original model into three levels of cybersecurity maturity:

CMMC 2.0 Framework

Level 1 (Foundational)

This level includes the basic safeguarding requirements for Federal Contract Information (FCI) as outlined in the Federal Acquisition Regulation (FAR) Clause 52.204-21. It includes 17 practices that correspond to basic cyber hygiene. SMPL-C has 2 modules for Level 1.

Level 2 (Advanced)

This level encompasses all 110 security practices from NIST SP 800-171, which are designed to protect CUI. Level 2 serves as a transitional stage for companies as they prepare for Level 3. SMPL-C has 3 modules for Level 2.

Level 3 (Expert)

This level is for companies that work directly with the DoD on critical programs and technologies. The practices for this level are based on a subset of the controls from NIST SP 800-172 (formerly known as NIST SP 800-171B), which provides enhanced security requirements for protecting against Advanced Persistent Threats (APTs).  SMPL-C has no modules for Level 3.