The Cybersecurity Maturity Model Certification (CMMC) was created to enhance the cybersecurity posture of companies participating in US government supply chains. As of December 31, 2017, defense and government suppliers had to comply with NIST 800-171. Starting in 2020 with the introduction of CMMC FAR clause, the DoD is gradually transitioning federal contract information to include CMMC instead of NIST 800-171.
There are two significant differences in CMMC:
- Unlike NIST 800-171, with CMMC there is no longer an option for self-attestation.
- CMMC includes five different levels of compliance.
CMMC - A New Cybersecurity Standard
The Cybersecurity Maturity Model Certification (CMMC) is a unified cybersecurity standard created to increase the security posture of companies operating in government supply chains. Version 1.0 was released in January 2020, and a minor update to Version 1.02 in March 2020.
The Department of Defense is planning to migrate from NIST 800-171 to the CMMC framework later in 2020.
Starting in September 2020, CMMC requirements could be included in some RFPs, and by 2026, all new DoD contracts will require CMMC.
You can learn more about CMMC at these government sites:
- Office of the Under Secretary of Defense for Acquisition & Sustainment, Cybersecurity Maturity Model Certification
- CMMC Accreditation Body (CMMC-AB)
No More Self-Attestation
The CMMC framework will require all companies seeking compliance to work with an accredited and independent third-party organization to perform a CMMC assessment. With this framework, there is no longer an option for self-attestation.
The CMMC framework contains 5 maturity processes and 171 cybersecurity best practices progressing across 5 maturity levels. The CMMC maturity processes institutionalize cybersecurity activities to ensure they are consistent, repeatable, and of high quality. The CMMC practices provide a range of mitigation across the levels, starting with basic safeguarding and basic cybersecurity processes at Level 1, moving to the broad protection of CUI at Level 3, and culminating with reducing the risk from Advanced Persistent Threats (APT) at Levels 4 and 5.
These levels capture both security control and the processes that enhance a company's cybersecurity. DoD contracts stipulate to which level (1, 2, 3, 4, or 5) a supplier must meet. A company will need to meet both the processes and practices to meet a given level.
A subcontractor working for a prime contractor may not necessarily need to meet the same level as the prime. For example, to win a contract, first-tier DoD contractors may need to be at Level 3 but a supplier to a prime may only need to be at Level 1 if that supplier will never receive or touch information that needs to be protected.
Many small businesses seeking basic cybersecurity hygiene will only need to meet Level 1.
LEVEL 1 - Safeguard Federal Contract Information (FCI)
♦ Level 1 Practices
♦ Level 1 Supporting Documentation
LEVEL 2 - Serve as transition step in cybersecurity maturity progression to protect CUI
♦ Level 2 Practices
♦ Level 2 Supporting Documentation
LEVEL 3 - Protect CUI
There is a direct correlation to NIST 800-171 requirements and Level 3 of CMMC.
♦ Level 3 Practices
♦ Level 3 Supporting Documentation
LEVEL 4 - Protect CUI and reduce risk of Advanced Persistent Threats (ATP)
♦ Level 4 Processes: Reviewed
Includes a review of past practices for effectiveness. This also includes notification of higher-level management of status or issues on a periodic basis.
♦ Level 4 Practices: Proactive
Practices protection of CUI from APTs. It includes NIST SP 800-171B and enhanced detection and response capabilities.
LEVEL 5 - Protect CUI and reduce risk of ATPs
♦ Level 5 Processes: Optimizing
Requires an organization to take corrective action towards improving process implementation across the organization.
♦ Level 5 Practices: Advanced/Proactive
Increases the depth and sophistication of cybersecurity capabilities.
How to Comply with CMMC
The CMMC framework requires all companies seeking compliance to be assessed by an accredited and independent third-party organization called a "CMMC Third Party Assessment Organization" or C3PAO. A C3PAO is trained and accredited to perform CMMC assessments. As of May 5, 2021, there are no certified C3PAOs eligible to perform assessments.
CMMC Compliance Process
Companies operating in federal supply chains need to be certified by a third-party organization (C3PAO) who will assess the company's level of compliance with CMMC. DoD contracts specify to which level a company must comply (Levels 1-5). Starting in 2020, CMMC can be introduced in new RFIs and RFPs. By 2026, all DoD contracts will include CMMC instead of NIST 800-171.
With the adoption of CMMC, there is no longer an option for self-attestation to be eligible to participate in DoD contracts.
If you have questions about what is CMMC compliance, the process to achieve CMMC compliance is as follows:
- Determine the level of CMMC you want to meet (based on future contracts on which you plan to bid or internal business goals).
- Prepare internally to meet the selected standard. Identify gaps in your processes and systems. You can leverage the services of a CMMC-AB Registered Provider Organization™ (RPO) listed in the CMMC-AB Marketplace to help you.
- Select a C3PAO from the CMMC Accreditation Body Marketplace. As of May 5, 2021, there are no certified C3PAO companies performing assessments yet.
- Engage a C3PAO to provide the assessment.
- The C3PAO submits the assessment for review by the CMMC-AB.
- Certification is issued to the company.
The certification will last for 3 years, at which point companies will be able to renew their certification.
The Overlap of NIST 800-171 and CMMC
Because CMMC is to be rolled out gradually, there will be a period where both NIST 800-171 and CMMC will be in effect. By 2026, all new DoD contracts will include CMMC cybersecurity requirements.
Suppliers working under multiple contracts may be complying with NIST 800-171 on some contracts and CMMC on others. There is a direct correlation to NIST 800-171 requirements and Level 3 of CMMC.
CMMC Impact to Current Contracts
No existing contracts will have CMMC requirements inserted into them. The potential for CMMC requirements is only with new future contracts.
The certification to win a contract will be needed at the time of the award.
You should think of NIST 800-171 as the foundation for CMMC. There are 14 families of requirements in NIST 800-171 and across the 14 families are a total of 110 individual requirements.
CMMC levels 1-3 encompass the 110 security requirements specified in NIST 800-171. There are 171 total practices across the five levels in CMMC.
NIST 800-171 was about compliance whereas CMMC is about reducing risk in DoD supply chains. What hasn't changed is the goal: to protect information.
Get Ready for CMMC Now
As a CMMC-AB Registered Provider Organization™ (RPO) listed in the CMMC-AB Marketplace, Corserva can help prepare companies to get ready for a CMMC assessment.
Corserva offers an easy process for your organization to prepare for a CMMC assessment. Request a quote today to protect your government contracts and prevent cyber threats.