What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification”. Specifically created to help safeguarding Controlled Unclassified Information (“CUI”) in non-federal systems, CMMC is introduced by the U.S. Department of Defense and considered to be continuation of efforts where defense contractors and subcontractors were required to be compliant with the NIST SP 800-171 cybersecurity standard if they were to receive, handle, store, and process the CUI.
The original revision (v1.0) of the CMMC encompassed five maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. Each of these maturity levels consisted of practices and processes as well as those specified in lower levels.
In addition to 110 security requirements specified in NIST SP 800-171 rev1, original CMMC model incorporated several other practices and processes from other standards, references, and sources. Some of the other standards and sources include NIST SP 800-53, National Aerospace Standard (NAS) 9933, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM).
To safeguard sensitive national security information, the Department of Defense (DoD) launched CMMC 2.0, a comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks. CMMC 2.0 cuts red tape for small and medium sized businesses. It is streamlined to three versus five levels and aligned with the requirements of NIST SP 800-171 and NIST SP 800-172 standards.
Who is required to be CMMC certified?
The DoD is incorporating CMMC certification requirement into Defense Federal Acquisition Regulation Supplement (DFARS) for contract award. The CMMC framework will eventually be used to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). Simply put, through the processes and practices found in the CMMC, the government agencies will be able to verify the maturity of the cybersecurity mechanisms implemented by any company.
Does my company need to be CMMC certified?
CMMC is a requirement which will apply to unclassified networks of all contractors and subcontractors which will handle, process, and/or store Federal Contract Information (FCI) or the Controlled Unclassified Information (CUI). If your business is not only in the developing/manufacturing COTS products and software, and you plan to handle, process and/or store FCI or CUI then your company will need to be CMMC certified.
The plan is to implement the CMMC framework within the DoD Defense Industrial Base at the moment. However, it is expected that the other federal government agencies are going to follow the suite of requiring the CMMC certification to companies/organizations needing to access, store, and process the CUI that are released by those agencies.
It is also important to know that for contracts that require CMMC your company may be disqualified from participating if your organization is not certified.
Are you confused with what level of CMMC certification that you need?
The level of CMMC that you will have to have depends on the sensitivity of the information that you will be accessing and storing. The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).
Per CMMC 2.0 model, Level 1 (Foundational) certification will require DIB company self-assessments. However, CMMC Level 2 (Advanced) certification may require third-party or self-assessments, depending on the type of information. CMMC Level 3 (Expert) will be assessed by government officials. CMMC 2.0 substantially eased assessment requirements for companies not handling information related to prioritized acquisitions.
Keep in mind, if an official certification is required, no companies can self-certify themselves. Only CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors that have been accredited by the CMMC Accreditation Body (AB) may perform CMMC assessments in such cases. Also, company that received a CMMC certificate from a C3PAO will need to be re-certified in every 3 years.
What are the Components of CMMC 2.0?
The CMMC model measures the implementation of cybersecurity requirements at three levels. The CMMC levels and associated sets of practices across domains are cumulative.
More specifically, for an organization to achieve a specific CMMC level, it must also demonstrate achievement of the preceding lower levels. For the case in which an organization does not meet its targeted level, it will be certified at the highest level for which it has achieved all applicable practices.
Each level consists of a set of CMMC practices:
CMMC Level 1 (Foundational)
Level 1 focuses on the protection of FCI and consists of only practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21, commonly referred to as the FAR Clause.
CMMC Level 2 (Advanced)
Level 2 focuses on the protection of CUI and encompasses the 110 security requirements specified in NIST SP 800-171 Rev 2.
CMMC Level 3 (Expert)
Level 3 will be based on a subset of NIST SP 800-172 requirements. Details will be released at a later date.
The CMMC model consists of 14 domains that align with the families specified in NIST SP 800-171. These domains and their abbreviations are as follows:
Don’t try to manage it all alone! Linqs has extensive experience in compliance with the CMMC requirements.
We can assist you by training your employees and developing policy and procedures in addition to providing expert guidance on securing your systems for achieving intended CMMC level as soon as possible.