Cybersecurity Maturity Model Certification (CMMC)

- CMMC, or the Cybersecurity Maturity Model Certification, is a standard for cybersecurity implementation within the Defense Industrial Base (DIB). This framework is responsible for ensuring that Controlled Unclassified Information (CUI) is protected.

- The CMMC framework is mandatory for any organization that contracts with the Department of Defense (DoD). CMMC compliance began in 2020, but the DoD will continue to add new standards into new contracts until all entities are covered by 2025.

Organizations looking to become CMMC compliant are assessed on three maturity levels:

- Level 1: Basic Safeguarding of Data

• This maturity level is structured around protecting Federal Contract Information (FCI), or government information not intended for public release.
• These practices are considered foundational and are required for all higher CMMC maturity levels.
• This level includes annual Self Assessment and Annual Affirmation of 15 security requirements in FAR clause 52.204-21.

- Level 2: Broad Protection of CUI

• Certification at this level indicates that an organization possesses the basic capabilities to protect CUI and has effectively implemented the security requirements of NIST SP 800-171 R2, another security framework.
• A level 2 CMMC certification signifies that an organization adequately maintains security activities, policies, and procedures, and demonstrates proper planning to manage certain activities.
• Either a self-assessment or a C3PAO assessment every three years, as specified in the solicitation.
  • Decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems.
• Annual Affirmation, verify compliance with the 110 security requirements from NIST SP 800-171 R2.

- Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats

• Organizations that meet level 3 CMMC requirements are hyper-focused on protecting CUI from APTs through optimized cybersecurity capabilities.
• Organizations at this level are required to continually improve and standardize their cyber hygiene practices across the entirety of their infrastructure.
• Achieve CMMC Status of Final Level 2.
• Undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
• Provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.

- CMMC compliance is assessed by CMMC Third Party Assessment Organizations (C3PAOs). Many organizations work with cybersecurity or CMMC consultants to prepare for their assessment with a C3PAO.

The Defense Federal Acquisition Regulation Supplement (DFARS) is an amendment to a series of rules that regulate the DoD and other government agencies’ purchasing of goods and services.

Defense contractors must be DFARS compliant to conduct business with the DoD.

Organizations must complete and submit self-assessments to the DoD annually. These assessments must include the following:

- A System Security Plan (SSP)
- A Plan of Action and Milestones (POAM)
- A CUI Environment Management Team (CEMT)

Both DFARs and CMMC have the same goals: protecting CUI. CMMC builds on what was started with DFARs, and the documentation developed while becoming DFARS compliant is essential to advancing through CMMC levels. While there’s some overlap between the two, it’s possible to be DFARS compliant without being CMMC compliant and vice versa.

CMMC is the vehicle that determines NIST SP 800-171 compliance. CMMC is a third-party assessment required to be certified as NIST SP 800-171 compliant.

Your organization has achieved Level 2 CMMC. If it is appropriate for your organization, then Level 2 CMMC can be achieved with 24 more security activities from NIST SP 800-172. Organizations who have achieved Level 3 are hyper-focused on protecting CUI from APTs through optimized cybersecurity capabilities.

CMMC assessments must be performed by an authorized and accredited C3PAO listed on the CMMC-AB marketplace. While IT consultants, Registered Practitioners and other parties can help you prepare for your CMMC assessment, only authorized and accredited C3PAOs can conduct the assessment itself.

A CMMC certification will be valid for 3 years with Annual Affirmation required

The required CMMC level varies. The DoD will tell you what CMMC level is required in Requests for Information (RFIs) and Requests for Proposals (RFPs).

The short answer is – Yes! CMMC compliance preparation is tedious and resource-intensive, and it can be pricey if key resources like compliance officers and full-time IT staff are not involved. Managed service providers familiar with CMMC and IT in the manufacturing industry can provide strategic and reliable audit preparation. Working with an MSP can help ensure you submit a strong risk score to the DoD, which will help you continue your contract and position your organization favorably for future contracts.