What is the CMMC Standard?
The CMMC certification methodology was developed by the Department of Defense (DoD) to guarantee that contractors have safeguards in place to secure sensitive data such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The Cybersecurity Maturity Model Certification (CMMC) is a new prerequisite for existing DoD contractors.
The DoD introduced the CMMC 2.0 in November 2021, following an internal examination of the program that began in March 2021 and included over 850 public comments to the CMMC program. In CMMC 2.0, the five-level model will be replaced with three increasingly advanced levels of cybersecurity requirements.
The CMMC 2.0 framework is divided into three levels of cybersecurity maturity, each level builds on prior ones. It is made up of multiple procedures and processes that are mainly based on NIST 800-171 and NIST SP 800-172.
The Department of Defense will go through a regulation process before implementing CMMC 2.0 in contracts. All DoD contractors must be CMMC certified in order to bid on new federal contracts.
What Changes in CMMC V2.0?
- Three levels instead of five levels
There were five maturity levels in the previous model (V1.02), however there are only three in the new model.
Levels 2 and 4 were eliminated from the new model. Level 1 of Maturity remains unaltered. It still has 17 practice standards that correspond to FAR 52.204-21’s 15 cybersecurity practices.
The former Maturity Level 3 has been replaced by the new Maturity Level 2. However, with the removal of delta 20 practices, this level is aligned with the 110 practices of NIST SP 800-171.
Based on a subset of NIST 800-172, the new Maturity Level 3 is presently being developed. It replaces the previous Maturity Levels 4 and 5.
- Eliminates all Maturity Processes
There were five maturity processes in the prior model (performed, documented, managed, reviewed, and optimized). All maturity processes are eliminated in CMMC 2.0.
Although CMMC 2.0 eliminates all maturity processes, it does not remove the requirement for those who want a Level 2 certification, to have written processes and policies.
- Plan of Action and Milestones (PoAM)
The DoD now accepts Plan of Action and Milestones (PoAM) reports, meaning that contractors who do not fully comply may be allowed to begin work on a contract while committing in detail how they will meet any unmet requirements in the future. In some limited cases, this newer version also allows waivers to CMMC requirements.
- Assessment for Organizations
Self-assessment will now be allowed for Maturity Level 1 certifications.
A selection of OSCs aiming Maturity Level 3 will be assessed by Certified Third-Party Assessor Organizations (C3PAOs). The subset of suppliers and contractors reviewed by C3PAOs will be determined by the type of contracts.
Only those OSCs managing contracts with information deemed critical to national security will be subject to third-party reviews. Other OSCs with CUI may self-assess if their contracts aren’t deemed critical to national security.
Maturity Level 3 certification will be assessed by government officials, most likely the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Another distinction can be found in the evaluation process. Following a V1.02 assessment, the C3PAO would submit an evaluation report to the CMMC-AB. The CMMC-AB would next perform a final assessment and provide a certification. Now, In version 2.0, the C3PAO submits its assessment report to the Department of Defense.
What are the requirements for CMMC?
The CMMC model integrates different cybersecurity control standards, such as NIST SP 800-171 and NIST SP 800-172 into a single unified cybersecurity standard. The CMMC assesses a company’s institutionalization of cybersecurity policies and procedures in addition to cybersecurity control requirements.
The following are the three CMMC 2.0 levels:
- Level 1 – “Foundational” –The DoD contractor will need to implement 17 controls of NIST 800-171 and pass an annual self-assessment.
- Level 2 – “Advanced”– To pass an audit for this level, the DoD contractor will need to implement the full NIST 800-171 (110 controls).
- Level 3 – “Expert” – To pass an audit for this level, the DoD contractor will need to implement 110 controls of NIST 800-171 plus other controls based on NIST 800-172 (still under DoD development).
Why should you be CMMC compliant?
For businesses who wish to do business with the US Department of Defense, CMMC is a new prerequisite. It requires verification of contractor security and demands that all companies in their supply chain handle their partners with the same diligence.
The CMMC serves as a verification to see whether DIB organizations are using acceptable cybersecurity policies and procedures to secure Federal Contract Information (FCI) and Regulated Unclassified Information (CUI) on their unclassified networks.
Non-compliance will hurt your company’s profit margins, as contractors who do not pass the certification will be unable to bid on DoD projects.
How to achieve CMMC certification?
The Department of Defense will use accredited third-party assessor organizations (C3PAOs) to perform audits on DoD Contractor information systems to ensure that they have reached the required standard of cybersecurity controls. If a DoD contractor complies with the controls for a given Level, they will be assigned a certification Level of 2-3 based on this audit.
The requirement under DFARS 7021 to submit and maintain a NIST 800-171 self-assessment in the DoD’s Supplier Performance Risk System (SPRS) remains in effect.
Through the Centraleyes platform, organizations can gain full visibility to their cyber risk levels and compliance. In addition to using its integrated CMMC questionnaire with an easy follow-up system to help track and close vulnerable areas, it eases the process towards meeting compliance. The platform also allows you to start an assessment around the NIST 800-171 framework, while walking you through all the requirements that need to be met for this prerequisite. The final report that is needed for SPRS submission will be automatically created by the platform.