Skip to content

WHAT IS CMMC?

In January 2020 the Department of Defense (DoD) announced a new standard for assessing an organization’s cybersecurity posture called “Cybersecurity Maturity Model Certification (CMMC).” According to CMMC, all DoD contractors that process, transmit or store Controlled Unclassified Information (CUI) will be asked to be certified by a third-party assessment organization (C3PAO). The new CMMC program consists of five levels of certification in both cybersecurity practices and processes. 

Person working on a laptop

WHEN WILL CMMC COMPLIANCE BE REQUIRED?

The CMMC Program implementation date is 60 days after the publication of the final Title 48 CFR CMMC acquisition rule. CMMC assessment requirements will be implemented using a four-phase plan over three years. After that time, all new contracts will be required to meet the CMMC framework. The third-party assessments will be conducted by accredited C3PAOs (Certified 3rd Party Assessment Organizations).

WHAT ACTIONS SHOULD YOU TAKE NOW TO BE COMPLIANT?

Here are our recommendations:

  1. Identify where the CUI data resides in your company and who has both physical and electronic access to it. Limiting the number of people who can process CUI, and reviewing whether you have exported this data with foreign vendors or employees is highly advised.
  2. Create and update as needed the following documents:
    • System Security Plan (SSP) – How you addressed the controls and how you will protect FCI and CUI (ITAR, EAR 600 Series) 
    • Plan of Actions and Milestones (POAM) – how you will remediate gaps found from an assessment
    • Digital certificate to meet DIBNET reporting requirement in 72 hours
    • Post your NIST score into the Supplier Performance Risk System (SPRS)

The SSP and POAM documents are required to meet DFAR 7012, thus allowing you to self-attest to any flow downs or letters sent from a Prime. The POAM must be regularly updated showing your progress to close the gaps identified during the assessment. The NIST assessment score must be reported to the Supplier Performance Risk System (SPRS) to meet the new DoD rules, DFARS 7019 and 7020

CMMC Page image (1)

CMMC FRAMEWORK REQUIREMENTS

CMMC FRAMEWORK REQUIREMENTS

The CMMC framework, links the model to a systematic approach to achieve certification level, consists of several assets: domains (14), and practices (110+) corresponding to the certification level.

  • Level 1 (Performed: 15 practices). An Organization Seeking Assessment (OSA) must demonstrate basic cyber hygiene practices, such as ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government."
  • Level 2 (Managed: 110 practices). An OSA must have an institutionalized management plan to implement good cyber hygiene practices to safeguard CUI, including all the NIST 800-171 r2 security requirements and processes.
  • Level 3 (Optimizing: 134 practices). An OSA must have standardized and optimized processes in place and additional enhanced practices that detect and respond to changing tactics, techniques and procedures (TTPs) of advanced persistent threats (APTs). An APT is as an adversary that possesses sophisticated levels of cyber expertise and significant resources to conduct attacks from multiple vectors. Capabilities include having resources to monitor, scan, and process data forensics.
About CMMC

Source: Version CMMC 2.0

CMMC FOCUS

Each company might possess different types and sensitivities of Controlled Unclassified Information (CUI). The CMMC Program aligns with the DoD’s existing information security requirements for the DIB. It is designed to enforce the protection of sensitive unclassified information shared by the Department with its contractors and subcontractors. The program provides the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for nonfederal systems processing controlled unclassified information.

Key features of the CMMC Program:

  • Tiered Model: CMMC requires companies entrusted with sensitive unclassified DoD information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also outlines the process for requiring protection of information flowed down to subcontractors.
  • Assessment Requirement: CMMC assessments allow the DoD to verify DIB implementation of existing cybersecurity standards.
  • Implementation through Contracts: DoD contractors and subcontractors handling sensitive unclassified DoD information must achieve a specific CMMC level as a condition of contract award.
 

CMMC

The CMMC Program provides assessments at three levels, each incorporating security requirements from existing regulations and guidelines.

Level 1: Basic Safeguarding of FCI

  • Requirements: Annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21.

Level 2: Broad Protection of CUI

  • Requirements:
    1. Either a self-assessment or a C3PAO assessment every three years, as specified in the solicitation.
      • Decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems.
    2. Annual affirmation, verify compliance with the 110 security requirements in NIST SP 800-171 Revision 2.

Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats

  • Requirements:
    1. Achieve CMMC Status of Final Level 2.
    2. Undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
    3. Provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.

Source : DOD CIO (About CMMC)

CMMC page image 2

HOW TO SELECT YOUR CMMC COMPLIANCE PROVIDER?

The Cyber Accreditation Body (Cyber-AB) is a non-profit, independent organization providing accreditation services for the CMMC Third-Party Assessment Organizations (C3PAO) and individual assessors. The CMMC framework itself was created by the Department of Defense (DoD) to assess and strengthen the cybersecurity posture across the Defense Industrial Base (DIB). The CMMC ensures the DoD suppliers have the basic cybersecurity hygiene and protection for controlled unclassified information (CUI).

The Cyber-AB has developed a CMMC Marketplace located at Cyber-AB Marketplace. The marketplace includes a list of approved Registered Provider Organizations (RPOs), Certified-Third-Party Assessment Organizations (C3PAOs), Licensed Partner Publishers (LPPs), and Licensed Training Providers (LTPs), as well as individual providers. After the CMMC Marketplace is fully established, the DoD suppliers will be able to select one of the approved provider organizations for its CMMC assessment.

CyberNINES is a CMMC Registered Provider Organization (RPO) and a Candidate Certified 3rd Party Assessment Organization (C3PAO). Our team of cybersecurity experts brings industry best knowledge in assessing and managing cybersecurity requirements for NIST SP 800-171 and CMMC frameworks. Our cybersecurity services provide high-value and affordable CMMC & NIST SP 800-171 assessments, audits, and compliance management to small and medium-sized businesses within the DOD Supply Chain. Services include Government Cloud solutions for Controlled Unclassified Information (ITAR and 600 Series) to meet DFAR 252.204-7012, 7019, and 7020 regulations and virtual CISO services to limit the cybersecurity security risk posture of suppliers and primes.  

Looking for help with your organization’s Cybersecurity assessment or meeting compliance with NIST SP 800-171 or CMMC? Send us an email at inquiry@cybernines.com or fill out the form below to schedule your free consultation with one of our experts. 

QUESTIONS?

SEND US A MESSAGE

 

EMAIL | inquiry@cybernines.com

PHONE | 608.512.1010 

SCHEDULE A MEETING | Meet with a Cybersecurity Expert