CMMC is a framework for cybersecurity standards required to be met at one of the given five levels by anyone who works or wishes to work with the DoD. Independent assessors will verify whether you have met these standards and then give you a certification. All future DoD contracts will require you be certified at one of the five levels.
CMMC took effect as an interim rule on 30th November 2020. Although the rule is already effective, it still needs to undergo Congressional review. In the meanwhile, limited number of contracts have CMMC requirement in 2021. The number, however, is steadily increasing till 2025. The current plan is to have all DoD contracts performed by CMMC certified companies 2026 onwards.
Contractors must be certified by an independent auditor known as a CMMC Third Party Assessment Organization (C3PAO). The auditor is authorized and accredited by the independent CMMC Accreditation Body. Contractors cannot assess their own business or self-certify. Contractors can find and select an auditor through a central CMMC “Marketplace”.
Certification covers five levels. Contractors must achieve certification at each level in sequence (from 1 to 5) before applying for assessment at the next level. The fact a contractor has received certification is public knowledge, but which level they have achieved will not be made public but will be known to the Department of Defense.
The measures required for certification are categorized into 17 broad areas of cybersecurity known as domains. Each domain is sub-divided into capabilities (43 in total) and then into 171 specific measures known as practices.
Although the CMMC framework is new, many of the security requirements within it are not. Of the 171 practices included in CMMC, 110 of them are specified in NIST SP 800-171 rev1. Additional practices and processes are drawn from other standards, references and sources, such as:
– NIST SP 800-53
– Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”
– Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2
CMMC builds upon existing regulation (DFARS 252.204-7012) by adding a certification program to verify the implementation of processes and practices across five cybersecurity maturity levels.
CMMC is being incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS), and by 2025 all suppliers will need a certification in order to bid on contracts. Contractors can achieve a CMMC level for their entire enterprise network or for a particular segment or enclave, depending on where the protected information is handled and stored.
CMMC-AB estimates the certification process will take at least six months for organizations to get certified.
A CMMC certificate is normally valid for three years before re-assessment is required.
What are the five CMMC maturity models?
The CMMC framework contains five maturity levels, with Level 5 being the highest. The processes and practices required for each level are aligned around:
– Level 1: Safeguarding Federal Contract Information (FCI)
– Level 2: Transitioning towards protecting Controlled Unclassified Information (CUI)
– Level 3: Protecting CUI
– Levels 4-5: Protecting CUI and reducing the risk of Advanced Persistent Threats (APTs)
Organizations must demonstrate both the institutionalization of processes and the implementation of practices to achieve a certification level. For example, if an organization demonstrates Level 3 practices but only Level 2 processes, they will be classified overall as Level 2. CMMC levels are cumulative. To achieve Level 5, an organization must demonstrate all 5 processes and 171 practices included in the framework.
Download our CMMC ebook for the full list of requirements here
The CMMC program, released on January 31st, 2020, officially went into effect on November 30th, 2020. By October 20th, 2025, all DoD suppliers must carry this certification. Without this certification, organizations will ultimately no longer be able to compete for DoD contracts.
The CMMC is divided into five levels so that DoD contractors are not expected to comply with requirements that are not necessary to protect the type of information they handle. A contractor at the very bottom of the supply chain will most likely be required to certify only to Level 1, while a contractor with access to military base construction projects will be required to certify to one of the highest two levels. To determine which CMMC level a contractor should be working toward, it’s important to inventory all systems in order to find out where FCI and CUI data is stored and how. Those contractors that don’t have the capacity to complete this first step in-house should partner with a managed services provider (MSP) offering CMMC readiness assessments.
CSG Technologies offers consulting services to government contractors and other companies in preparation for their CMMC assessments. We’ll help you identify the federal information you hold that might qualify as CUI (controlled unclassified information), show you what you need to do to follow and enforce the requirements and practices specified in the CMMC model, and help you prepare for a CMMC assessment by a certified third-party assessor.
On March 18, 2020, the Department of Defense (DoD) released Version 1.02 of the Cybersecurity Maturity Model Certification (CMMC), as a replacement for Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. As an interim rule effective November 30, 2020; DoD contractors must have a current (not older than three years) National Institute of Standards and Technology SP 800-171 DoD Assessment on record. This interim rule allows organizations to close the gap between DFARS and CMMC requirements. Roughly 300,000 DoD contractors making up All DoD contractors and subcontractors are required to attain at least Maturity Level 1 compliance if they handle Federal Contract Information (FCI). Those processing Controlled Unclassified Information (CUI) must achieve Maturity Level 3.