Every year, hackers and cybercriminals use more sophisticated methods to steal sensitive information and intellectual property. New methods for compromising security continue to mature, develop, and evolve. The value of unclassified sensitive data has increased, and the number of third-party suppliers and providers in the Defense Industrial Base (DIB) continues to shift, providing threat actors with new vectors to exploit. Malicious cyber actors continue to target the U.S. Department of Defense (DoD) supply chain in particular, posing a grave threat to national security.
In response, the Federal administration is doubling down on protecting the federal government supply chain through measures such as the Department of Defense’s new cybersecurity framework (CSF)— Cybersecurity Maturity Model Certification (CMMC). CMMC compliance and certification will require DoD service providers and suppliers to establish and maintain security controls in line with the framework, and in many cases aligned to NIST Special Publication (SP) 800-171.
What are the CMMC requirements, and which government contractors need to comply with? What’s the difference between CMMC 1.0 and CMMC 2.0, and how does that affect your organization? Where, when, and how does NIST get into the picture? What should your organization do today?
Get an overview of the new DoD cybersecurity framework below along with the answers to the above questions and download the full guide, Are You Ready for CMMC?, coauthored by AuditBoard and RSM US LLP.
What Is the CMMC Framework?
The Cybersecurity Maturity Model Certification (CMMC) Framework is a unifying standard that supports the common implementation of cybersecurity controls and safeguards across the entire DoD supply chain. The DoD’s goal is to define its cybersecurity standards in order to gain assurance that its contractors and subcontractors can adequately protect the DoD’s controlled unclassified information (CUI) and federal contract information (FCI) within the contractor’s infrastructure.
History of the CMMC Program
The CMMC project was first conceived in 2019 by the Office of the Under Secretary of Defense to secure the Defense Industrial Base (DIB) sector providing military parts, products, and maintenance that meet the requirements of the US military. Technically, the CMMC program was an interim rule made to the Defense Federal Acquisition Regulation Supplement (DFARS), which governs federal procurement. This rule established the DoD’s first envisioning of the CMMC framework, known as “CMMC 1.0.”
In early 2021, in response to hundreds of public comments, the DoD began work on “CMMC 2.0,” releasing the updated framework in late 2021. Many of these comments pertained to small businesses that contract with the DoD and found themselves unable to meet the stipulations outlined in CMMC 1.0. One of the drivers for the development of CMMC 2.0 was to make the framework more accessible for smaller organizations. CMMC 2.0 will be the main topic of this article, as it supersedes and streamlines CMMC 1.0.
CMMC 2.0 Overview
With the prevalence, frequency, and persistence of complex cyber attacks on the DoD supply chain and DIB, DoD contractors have become an appealing target for threat actors around the world. To that end, the DoD introduced and updated the CMMC program, which focuses on protecting — and better defining — the sensitive data and unclassified information categorized as federal contract information (FCI) and controlled unclassified information (CUI) that resides with DoD contractors, subcontractors, and service providers. The model integrates various cybersecurity standards and best practices, including those from NIST SP 800-171 and NIST SP 800-172, to ensure a robust defense against cyber threats to organize hundreds of controls across three maturity levels and 17 domains.
The shift to CMMC marks a clear evolution toward a “trust, but verify” model for cybersecurity compliance within the DoD supply chain. Whereas the prior DoD model allowed organizations to self-assess cybersecurity maturity, CMMC relies heavily on independent assessments from Certified Third-Party Assessment Organizations (C3PAOs).
While the latest release of CMMC 2.0 does allow for all Level 1 and some Level 2 contractors to self-assess, Level 2 contractors should assume an independent assessment will be required until the DoD criteria for annual self-assessment is published. Rulemaking for CMMC is yet to be finalized (as of May 2024) and continues to proceed with public comments and feedback (as of Dec, 2023). These certification assessments periodically verify the implementation of adequate cybersecurity practices and processes to protect CUI and FCI. Those organizations that process, store, or transmit CUI will typically require CMMC certification valid for three years in most instances.
Another change CMMC 2.0 brings to the table is the option to utilize Plan of Actions and Milestones or POAMs, instead of completely meeting a requirement. This means that, in some cases, having a POAM in place rather than a fully functioning control will be acceptable under CMMC 2.0. However, a POAM will not be accepted for critical controls, and should not be used as a replacement for an effective security control and strategy. Whenever possible, companies should seek to meet the full extent of the CMMC requirement.
Image: Commonly Used Acronyms
The CMMC 2.0 revision had the following core goals (as of Nov 2021):
- Protect sensitive data to enable and guard the warfighter.
- Enforce DIB cybersecurity standards to counter evolving attacks.
- Ensure accountability while reducing barriers to DoD compliance.
- Perpetuate a culture of collaboration in the practice of information security and cyber resilience.
- Maintain strong professionalism and ethical standards to earn public goodwill.
When will CMMC 2.0 be Required?
Currently, the DoD is in the process of rulemaking for CMMC 2.0, with a promised public comment period designated once the process is complete. The rulemaking is expected to continue through 2024 with additional regulatory updates for implementing contractual requirements (proposed changes and final rules associated with DFARS 252.204-7012, 252.204-7020, and 252.204-7021). The original CMMC framework was intended to have a five-year phase-in period, though this may change with the introduction of CMMC 2.0. In the meantime, the DoD has encouraged suppliers, providers, and contractors to continue to improve their risk management and information security programs to safeguard sensitive data. Companies looking to prepare for CMMC 2.0 ahead of time should consult NIST SP 800-171, which dovetails with the CMMC framework.
Only organizations that are renewing contracts or that will be developing new contracts with DoD in the future will be subject to the CMMC 2.0 requirements initially. Organizations that have existing contracts will not be expected to adhere to CMMC 2.0 until contract re-negotiation occurs, or a new contract is necessary, though this is subject to change as the rulemaking process continues.
Bottom line, CMMC 2.0 will not go into effect until rulemaking is complete, according to the official CMMC FAQ. However, even the so-called “father” of CMMC encourages companies to get ahead of the curve and begin implementing strong controls based on NIST 800-171 to protect critical assets, data, and infrastructure.
Does CMMC Apply to My Organization?
If you are a prime contractor, service provider, or subcontractor who plans to do business with the DoD in the future, CMMC applies to you. Even if your organization is not directly contracting with the DoD, if you are a subcontractor to a prime contractor that requires CMMC compliance, your organization will need to comply as well. If your organization does not handle CUI, the DoD will expect a minimum certification at CMMC Level 1.
The DoD initially estimated the CMMC will impact 350,000+ defense contractors. Given the volume of subcontractors in the DoD’s multilayered supply chain, we expect that number to grow.
According to the CMMC FAQ, only DIB contractors’ unclassified networks that process, store, or transmit FCI or CUI will be in-scope for CMMC.
Three Levels of CMMC Maturity
CMMC 2.0 defines three distinct levels of maturity, CMMC Level 1, CMMC Level 2, and CMMC Level 3. The rigor of requirements increases from 1 to 3, with CMMC Level 3 being the most rigorous level of CMMC compliance. Previously, CMMC 1.0 had five levels, which proved to be too complex and granular.
Now, CMMC Level 1 has 15 requirements and calls for an annual self-assessment and annual affirmation. Organizations at this level typically do not have CUI and only hold FCI. Level 1 is also known as the “Foundational” level. CMMC ‘practices’ refer to the specific cybersecurity activities and measures that organizations must implement to achieve compliance.
At CMMC Level 2, the “Advanced” level, organizations are expected to meet 110 NIST SP 800-171 stipulations, with either:
- Triennial third-party assessments performed by C3PAO assessors and annual affirmation, OR
- For select programs, triennial self-assessment and annual affirmation.
At CMMC Level 3, organizations must meet 110+ requirements in NIST SP 800-171 and a subset of 800-172, conduct triennial (occurs every three years) government-led assessment and attestation and annual affirmation. This level is known as the “Expert” level, and requires the sustainment of the most stringent protections, controls, and processes.
Image: CMMC Levels of Maturity
What CMMC Maturity Level Should My Organization Target?
CMMC’s three maturity levels are cumulative. Each level contains the practices and processes included in any prior levels.
Your organization’s target maturity level should be based on the level of risk to controlled unclassified information (CUI) and federal contract information (FCI) as defined by the awarding agency or prime contractor. Organizations handling CUI are already subject to DFARS 252.204.7012 as defined within NIST 800-171, and will be expected to certify at Level 2 or above.
To determine which CMMC maturity level to aim for as a baseline, it’s also helpful to consider:
- Your organization’s overall strategic goals regarding DoD contracts. While the DoD CMMC FAQ is clear the initial implementation will be within the DoD, they are encouraging other federal, state, and local agencies to consider implementing the standard.
- What type of information you currently process, store, and transmit — and any plans for change in the near future.
- Where you currently store FCI or CUI within internal or external covered contractor information systems.
- What is realistic for your organization to achieve in the near future, as well as what is realistic within the next few years.
Finally, be aware that CMMC assessments are truly “pass” or “fail.” Under CMMC, your organization must have successfully designed and implemented 100% of each level’s defined cybersecurity requirements to achieve CMMC certification at a given level. The consequence of failing to “pass” a CMMC assessment is the inability to do business with the DoD, which can be a dire circumstance for businesses that focus on serving the government.
CMMC vs NIST
CMMC is not a NIST framework, despite deriving many security requirements and controls from NIST SP 800-171. CMMC is a DoD cybersecurity framework, designed to apply to the DoD supply chain and the DIB sector. NIST 800-171 is a special publication providing guidance on protecting CUI in non-governmental systems. This particular publication includes 14 requirements, from Access Control to System and Information Integrity.
CMMC asks organizations within the DoD supply chain to comply with NIST 800-171 to a different extent depending on what level (1, 2, or 3) the organization is at. Level 1 organizations need only comply with 15 requirements; Level 2 organizations need to comply with 110 requirements outlined in NIST SP 800-171, and Level 3 organizations need to comply with over 110 requirements outlined in NIST SP 800-171 and 800-172. In the CMMC requirements, contractors will need to perform a self or third-party assessment to confirm that they comply with the necessary NIST standard.
Certified Third-Party Assessment Organization Accreditation
A Certified Third-Party Assessment Organization (C3PAO) is an entity authorized by the CMMC Accreditation Body (CMMC-AB) to conduct independent assessments of organizations seeking CMMC certification. Before an organization is qualified to be a C3PAO, it must be evaluated and passed by the CMMC Accreditation Body, The Cyber AB.
As part of self- and third-party assessments aligned with CMMC, organizations can expect a review of their policies and documentation; examination of evidence related to cybersecurity and IT general controls; interviews with process owners and stakeholders; and other procedures similar to a risk assessment or IT security audit.
Once CMMC 2.0 is finalized, self-assessments will occur annually and third-party assessments will occur every three years, or triennially.
Simplify the CMMC Framework Requirements With Purpose-Built Technology
CMMC compliance adds another important subset to the already vast compliance landscape facing enterprises and businesses today. Not all companies are affected, but those organizations serving the DoD and DIB sectors need to be vigilant about the future CMMC 2.0 requirements, as they may arrive sooner rather than later. The cost of noncompliance with CMMC is the inability to contract with the DoD, and could even affect relationships with other federal agencies if they choose to implement the CMMC requirements.
On the bright side, many CMMC controls may be fulfilled by existing controls at your organization, especially if your company already leverages NIST guidance from Special Publications 800-171 and 800-172. Incorporating CMMC 2.0 requirements into your information security controls stack can be streamlined with the help of the right technology. Purpose-built compliance software can narrow down your scope and streamline your CMMC compliance programs. Accelerate your CMMC journey today with AuditBoard!
Frequently Asked Questions About CMMC
What is the CMMC framework?
The CMMC framework is a set of standards and requirements that Department of Defense contractors, subcontractors, and providers are required to comply with.
Does CMMC apply to my organization?
CMMC may apply to your organization if your organization hosts or processes controlled unclassified information (CUI) and/or federal contract information, or if they are part of the Defense Industrial Base supply chain.
What is Controlled Unclassified Information (CUI)?
CUI is a type of sensitive information classified by and developed by the National Archives and Records Administration (NARA). The CUI is not classified under traditional levels (Confidential, Secret, or Top Secret), but introduced a process to handle sensitive but unclassified information. This may include but not limited to personally identifiable information (PII), proprietary business information, and certain law enforcement data.
What is Federal Contract Information (FCI)?
FCI was developed through the Federal Acquisition Regulation (FAR) system. The FAR includes DoD, GSA and NASA. This is the information that is not intended for the public release and is usually provided by or generated for the government under a contract to develop or deliver a product or service to the government. Examples may include but not limited proposals, pricing information submitted by contractors, PII of employees working on certain federal projects, project management documents and more.
What CMMC maturity level should my organization target?
An organization that does not host or process CUI and only hosts or processes FCI can typically aim for Level 1. An organization that hosts and/or processes CUI and FCI may need to comply with Level 2 or Level 3, depending on the finalized CMMC 2.0 rules.
Jason Sechrist is the Director of Compliance Solutions at AuditBoard, where he works with CIOs, CISOs, and IT compliance teams to help automate the administrative tasks of governance, risk, and compliance activities. He previously was the Global Head of Internal Audit and IT Compliance at Rackspace Managed Cloud Company, and started his GRC career with PwC in Silicon Valley. Connect with Jason on LinkedIn.