Discover the Cybersecurity Maturity Model Certification (CMMC)

What is the CMMC?

The Cybersecurity Maturity Model Certification (CMMC) Version 1, finalized in January 2020, is the US Department of Defense’s (DoD) new information security framework and audit program. The CMMC is designed to improve cybersecurity within the Defense Industrial Base (DIB) by ensuring that contractors and subcontractors can adequately protect Controlled Unclassified Information (CUI).

Back in October 2016, the DoD specified requirements for protecting Covered Defense Information (CDI) and reporting cyber incidents in its Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. DFARS mandated that DoD suppliers implement security controls consistent with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. This regulation relies on suppliers to self-attest to the status of their security controls and to compliance with NIST SP 800-171.

In contrast, the CMMC takes an audit-based approach to compliance. Certification to an appropriate CMMC level will be a “go/no-go” requirement for DoD acquisitions starting with select contracts in 2020, with all DoD contracts mandating CMMC certification by 2026.

Struggling with all the new terminology in the CMMC? Learn all the Key CMMC Terms & Acronyms here.

Why is the CMMC Important?

The CMMC is critically important because keeping CUI and CDI secure is vital to US national security and to the US economy. The current self-attestation approach has proven ineffective, as shown by multiple high-profile breaches of critical DoD data.

Exfiltration of sensitive defense-related data is estimated to cost the US economy $600 billion per year, and has verifiably narrowed US armed forces technological advantage over its adversaries. The DoD is determined to eliminate this data leakage.

CMMC represents a higher, more exacting level of assurance that emphasizes not only compliance but also data security, and which ensures more consistent implementation and execution of controls. CMMC should make it significantly more difficult for adversaries to breach DIB contractors, especially sub-tier suppliers.

How is the CMMC Different from Today’s Requirements?

CMMC will significantly impact both the DoD’s acquisition process and suppliers’ cybersecurity postures. Most importantly:

  • To achieve certification at any of the five CMMC levels, organizations must pass a third-party assessment conducted by an accredited auditor.
  • CMMC certification to at least Level 1 will be mandatory for DoD contract award/participation, even for companies that do not handle CUI.
  • The CMMC certification level required for prime contractors and their subcontractors will be specified in DoD RFIs and RFPs, starting with select RFIs in June 2020.
  • Suppliers will need to be recertified every three years. Further, the CMMC will continue to evolve in response to the threat landscape.
  • The CMMC is even more comprehensive than NIST 800-171. It defines additional controls and places more emphasis on operationalization of processes (e.g., policies, procedures, documentation) to manage the environment.
  • Unlike the current “one size fits all” self-attestation to NIST 800-171, CMMC defines five levels of requirements, from “Basic Cyber Hygiene” (Level 1) to “Advanced/Progressive” (Level 5). Level 3, “Good Cyber Hygiene,” is equivalent to NIST 800-171 compliance.

When Does My Business Need to Be CMMC Compliant?

CMMC requirements will begin appearing in select RFIs in June 2020, and will appear in RFPs after a DFARs rule change is complete in October 2020. The DoD will gradually apply CMMC requirements starting with a chosen subset of contracts (about 1,500) to be awarded in 2021.

From there, the CMMC rollout will accelerate to about 7,500 companies in 2022, ramping up to about 50,000 in 2025. It is expected that the entire DoD supply chain (about 350,000 businesses) will be CMMC certified by 2026. Companies must continue to comply with current DFARS regulations while the two sets of requirements coexist.

Since only CMMC certified companies can participate in contracts that mandate CMMC, there is a clear competitive advantage to achieving CMMC certification sooner rather than later.

How Do We Get CMMC Certified?

The DoD in cooperation with the defense industry has “self-formed” a nonprofit accreditation body, called the CMMC Accreditation Body (CMMC-AB). This entity will onboard the Certified 3rd-Party Assessment Organizations (C3PAOs) needed to certified suppliers across the DIB. The C3PAOs, in turn, will train and certify the many auditors who will conduct CMMC audits.

The DoD expects that certified auditors will be trained and ready to begin assessing suppliers by June 2020, in line with its plan to issue RFIs specifying CMMC at that time. Suppliers seeking CMMC assessment should connect with a C3PAO to schedule an audit.

How Does CMMC Compare to NIST 800-171?

Because it defines five compliance levels, CMMC is more flexible than NIST 800-171, and “right-sizes” a supplier’s compliance footprint based on the data it is handling.

Here are the five CMMC “cyber hygiene certification levels:

For suppliers that won’t be handling sensitive data, certification to CMMC Level 1 specifies only 17 controls, while Level 2 specifies 63 controls. These levels should be straightforward to achieve for businesses that are self-attesting to NIST 800-171 compliance today.

Suppliers that will handle CUI will need to be certified to CMMC Level 3 or higher. Level 3 includes all 110 NIST 800-171 controls, plus about 20 additional controls, making it comparable to the current DFARS guidance.

CMMC levels 4 and 5 are intended to protect CUI pertaining to high-value assets from advanced persistent threats and nation state actors. These levels define more controls (156 and 171 respectively and processes; attaining them will entail a rigorous audit process.

What certification level should your organization pursue? That depends on your company’s role in the DIB, as well as its current cybersecurity maturity level. CMMC Level 3 is equivalent to the current regulations and will be required to handle CUI. For example, suppliers that have a Section 7012 clause in their current contract will need to be CMMC Level 3 certified when those contracts are renewed.