What Is the CMMC Framework? An Introduction to the New DoD Cybersecurity Framework

What Is the CMMC Framework? An Introduction to the New DoD Cybersecurity Framework

Every year, hackers and cyber criminals become more sophisticated in their ability to steal sensitive information and intellectual property. Malicious cyber actors continue to target the U.S. Department of Defense (DoD) supply chain in particular, posing a grave threat to national security. 

In response, the Biden administration is doubling down on protecting the federal government supply chain through measures such as the Department of Defense’s new cybersecurity framework — CMMC. 

Get an overview of the new DoD cybersecurity framework below, and download the full guide, Are You Ready for CMMC?, coauthored by AuditBoard and RSM US LLP.

What Is the CMMC Framework?

The Cybersecurity Maturity Model Certification (CMMC) Framework is a unifying standard that supports the common implementation of cybersecurity across the entire DoD supply chain. The DoD’s goal is to define its cybersecurity expectations in order to gain assurance that its contractors and subcontractors can adequately protect the DoD’s CUI within their unclassified networks. 

CMMC focuses on protecting — and better defining — the unclassified information categorized as federal contract information (FCI) and controlled unclassified information (CUI). The framework aligns with NIST 800-171 and NIST 800-172, which organizes 145 controls across three maturity levels and 17 domains.

What Is the CMMC Framework - Requirements

The shift to CMMC marks a clear evolution toward a “trust, but verify” model for cybersecurity compliance within the DoD supply chain. Whereas the prior DOD model allowed organizations to self-assess cybersecurity maturity, CMMC relies heavily on independent assessments from Certified Third-Party Assessment Organizations (C3PAOs).

While the latest release of CMMC 2.0 does allow for all Level 1 and some Level 2 contractors to self-assess, Level 2 contractors should assume an independent assessment will be required until the DOD criteria for self-assessment is published. These certification assessments periodically verify implementation of adequate cybersecurity practices and processes to protect CUI and FCI. Those organizations that process, store, or transmit CUI will typically require certification valid for three years in most instances. Certification levels must be at or above the required level at contract award.

Does CMMC Apply to My Organization? 

If you are a prime contractor or subcontractor that plans to do business with the DoD in the future, CMMC applies to you. Even if your organization does not handle CUI, the DoD will expect a minimum certification at CMMC Level 1. 

The DoD initially estimated that CMMC will impact 350,000+ defense contractors. Given the volume of subcontractors in the DoD’s multilayered supply chain, we expect that number to grow.

What CMMC Maturity Level Should My Organization Target? 

CMMC’s three maturity levels are cumulative. Each level contains the practices and processes included in any prior levels.  

What Is the CMMC Framework - Maturity Levels

Your organization’s target maturity level should be based on the level of risk to controlled unclassified information (CUI) and federal contract information (FCI) as defined by the awarding agency or prime contractor. Organizations handling CUI are already subject to DFARS 252.204.7012 as defined within NIST 800-171, and will be expected to certify at Level 2 or above.

To determine which CMMC maturity level to aim for as a baseline, it’s also helpful to consider.

  • Your organization’s overall strategic goals regarding DoD contracts. While the DoD CMMC FAQ is clear that initial implementation will be within the DoD, they are encouraging other federal, state, and local agencies to consider implementing the standard.
  • What type of information you currently process, store, and transmit — and any plans for change in the near future. 
  • Where you currently store FCI or CUI within internal or external covered contractor information systems.
  • What is realistic for your organization to achieve in the near future, as well as what is realistic within the next few years. 

Finally, be aware that CMMC assessments are true “pass” or “fail.” Under CMMC, your organization must have successfully designed and implemented 100% of each level’s defined cybersecurity requirements to achieve certification at a given level.

For a deeper dive into starting or accelerating your CMMC journey, download AuditBoard and RSM’s full guide, Are You Ready for CMMC? Getting on the Right Track with the New DOD Cybersecurity Framework, for answers to the most common questions organizations have about CMMC. 

Charles Barley

Charles Barley Jr. is Principal, Risk Consulting at RSM US LLP, where he is responsible for the delivery of cybersecurity governance, risk and compliance services and serves as cybersecurity government contractor industry leader, in addition to functioning as RSM’s East market growth leader of the security and privacy risk solution. He has over 20 years of consulting experience and has served several multinational government contracting organizations and public sector institutions. Connect with Charles on LinkedIn.

Jason Sechrist

Jason Sechrist is the Director of Compliance Solutions at AuditBoard, where he works with CIOs, CISOs, and IT compliance teams to help automate the administrative tasks of governance, risk, and compliance activities. He previously was the Global Head of Internal Audit and IT Compliance at Rackspace Managed Cloud Company, and started his GRC career with PwC in Silicon Valley. Connect with Jason on LinkedIn.

Related Articles