The Cybersecurity Maturity Model Certification (CMMC) aims to protect America’s Defense Industrial Base (DIB),and is a long-awaited approach that follows on years of attempts to unify cybersecurity practices for Department of Defense contractors. Weapons, aircraft carriers, and planes might be the first thing you think of, but the Department of Defense (DoD), and its supply chain heavily rely on information technology infrastructure and the exchange of Controlled Unclassified Information (CUI).

You may know that the DIB has a not-so-pleasant history of failing to secure this information from our adversaries’ prying eyes. Diverse digital platforms, while useful, present novel challenges due to their heterogenous nature. The CMMC addresses this by creating standardization in a welcomed maturity-based approach that doesn’t treat every organization like a federal military installation. Compliance with the requirements at each target maturity level is the focus as it starts with protecting Federal Contract Information (FCI) at CMMC Level 1 and seeks to protects CUI at CMMC Level 2. 

Organizations Seeking Certification (OSC) are the prime and sub-contractors providing goods and services to the DoD under Federal Contracts When CMMC becomes official sometime in 2024, these organizations must earn a certification at their target level, or they will no longer be able to do business with the DoD or the primes. Target levels are determined by the types of information processed, stored, and/or transmitted by an OSC and will be communicated in the contracts for the primes, or by the primes to their subcontractors.

If you’re only working with FCI, for instance, then your target is CMMC Level 1, and there are just 17 basic cybersecurity practices you must demonstrate as implemented in your organization to earn the certification.

If you are receiving, storing, and/or processing CUI, your target is Level 2. There are 110 practices mirroring NIST SP 800-171. Demonstration for Level 2 compliance is achieved during and official CMMC Assessment conducted by certified assessors working for any one of the Certified Third-Party Assessor Organizations (C3PAO). Each certification is good for three years, at which time another assessment will be conducted to keep the certification current. Unlike NIST SP 800-171, the CMMC will not allow self-certification for Level 2 except in certain circumstances during the initial roll-out.

Full compliance at Level 3 spans all security domains covering topics from access control to physical security. Level 3 is expected for contracts involving more sensitive data and will follow NIST SP 800-172. Assessments will determine if plans are established and maintained, control procedures are performed, documented, managed, and sufficient cyber hygiene is executed so that CUI will be adequately protected.    

Glossary

FCI: Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

CUI: Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended

Reference

Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB). CMMC Appendices V2.1, December 2023