Overview of CMMC Mandate

Overview of CMMC Mandate

Cybersecurity Maturity Model Certification (CMMC)

The CMMC is is a comprehensive cybersecurity standard, based on the NIST 800-171 framework, that defense contractors must meet to ensure they protect sensitive data properly.

It is designed to protect sensitive information, including Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), from cyber threats. There are three levels of compliance, focusing on basic cyber hygiene, controlled unclassified information (CUI), and advanced threats.

Failure to comply can lead to serious repercussions such as ineligibility to conduct business with the US Department of Defense (a $900B annual market), potential legal proceedings under the False Claims Act, and increased susceptibility to cyber attacks.

Key Components of CMMC

Maturity Levels

CMMC consists of five maturity levels (Level 1 to Level 5), each representing an increasing level of cybersecurity practices and processes. The levels are cumulative, meaning that an organization achieving a higher level must also meet the requirements of the lower levels.

Processes and Practices

CMMC defines specific cybersecurity practices and processes that organizations must implement based on their assigned maturity level. These practices cover various domains, including access control, incident response, risk management, and more.

Third-Party Certification

One significant aspect of CMMC is the requirement for third-party assessments and certifications. Organizations seeking to work with the DoD must undergo an assessment by an accredited and independent third-party certifier to verify their compliance with the specified maturity level.

Implementation Timeline

The implementation of CMMC was planned to be phased, with different contracts requiring specific maturity levels. Contractors needed to be aware of the requirements for their specific contracts and ensure compliance within the established timelines.

CMMC 2.0

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework comprises a set of cybersecurity requirements that Department of Defense (DoD) contractors must meet to protect Controlled Unclassified Information (CUI). These requirements are based on established cybersecurity standards, primarily from NIST SP 800-171.

CMMC 2.0 has simplified the original model into three levels of cybersecurity maturity:

Level 1 (Foundational)

CMMC Level 1 Self Attestation requires compliance with the basic safeguarding of 17 requirements to protect Federal Contract Information(FCI) set forth in FAR clause 52.204-21.

Every year, an accountable executive within the defense contractor organization will be required to submit a self-attestation of the company’s implementation of the 17 requirements outlined in 32 CFR 170.15 into the Supplier Performance Risk System (SPRS), an initial affirmation of compliance, and annually after that, an affirmation of continued compliance as outlined in 32 CFR 170-22, making the company eligible for DoD contract award.

Level 2 (Advanced)

CMMC Level 2 requires compliance with the 110 security requirements outlined in 32 CFR 170.17 and NIST SP 800-171 Rev 2 to protect Controlled Unclassified Information (CUI).

Level 2 Self Attestation

Every year, an accountable executive within the defense contractor organization will be required to submit a self-attestation of the company’s implementation of the 110 requirements outlined in 32 CFR 170.16 into the Supplier Performance Risk System (SPRS), an initial affirmation of compliance, a POA&M closeout affirmation if necessary, and, annually after that, an affirmation of continued compliance as outlined in 32 CFR 170.22, making the company eligible for DoD contract award.

Level 2 Certification

CMMC Level 2 Certification requires compliance with the 110 security requirements outlined in 32 CFR 170.17 and NIST SP 800-171 Rev 2 to protect Controlled Unclassified Information (CUI).

Level 2 Certification requires an authorized or accredited CMMC Certified Third-Party Assessment Organization (C3PAO) to validate the implementation of the NIST SP 800-171 Rev 2 security requirements and upload the results into eMASS, which will feed the information into SPRS making the defense contractor eligible for DoD contract award for three years.

Level 2 Certification also requires an accountable executive within the defense contractor’s organization to submit an initial affirmation of compliance, a POA&M closeout affirmation if necessary, and, annually after that, an affirmation of continued compliance outlined in 32 CFR 170.22.

Level 3 – Not Provided by SMPL-C

This level is for companies that work directly with the DoD on critical programs and technologies. The practices for this level are based on a subset of the controls from NIST SP 800-172 (formerly known as NIST SP 800-171B), which provides enhanced security requirements for protecting against Advanced Persistent Threats (APTs).  SMPL-C has no modules for Level 3.