Since the Department of Defense revamped Cybersecurity Maturity Model Certification (CMMC) with the announcement of CMMC 2.0 on November 4, 2021, DoD contractors are left wondering if they will need CMMC certification.
The answer is still yes, but the way you might get there is changing.
CMMC is a unified cybersecurity standard for the implementation of cybersecurity across the Defense Industrial Base (DIB).
CMMC was created in response to lagging compliance with NIST Special Publication 800‑171, which required contractors working in government supply chains to comply as of December 31, 2017.
Because contractors could self-attest to compliance with NIST SP 800‑171, the DoD created CMMC to enhance national security and strengthen the cybersecurity of companies operating in government supply chains. The initial release of CMMC eliminated the option for self-attestation at any level. With the announcement of CMMC 2.0, self-attestation is an option for some companies at some levels.
self-attestation is possible in some cases with the announcement of CMMC 2.0
NIST 800-171 may have been the first exposure to compliance that many small companies working in government supply chains were faced with. As a flow-down clause, NIST 800-171 was the first compliance mandate that impacted not only prime contractors working directly for the government but also subcontractors working for primes or other subcontractors.
Like NIST 800-171, CMMC is also a flow-down clause. A company working under a government contract must comply with NIST 800-171 or CMMC (depending on the contract requirements) and ensure that every subcontractor working for them complies.
Companies performing under a DoD contract must maintain their CMMC certification throughout the contract.
Any entity in the government supply chain dealing with government-controlled unclassified information must be compliant. Typical entities include manufacturers, universities, research institutions, consulting companies, and service providers.
Companies that solely produce Commercial-Off-The-Shelf (COTS) products are not subject to CMMC requirements.
The method to become certified varies based on the level of CMMC you need to meet. The big distinction is whether you are protecting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
There are three levels in CMMC:
The original CMMC framework had five levels, but that has changed since the announcement of CMMC 2.0.
from Acquisition & Sustainment, Office of the Under Secretary of Defense
CMMC levels are based on the security criticality of the information you receive when performing under a contract. Level 2 compliance is harder to meet than Level 1 compliance, and Level 3 compliance is harder to meet than Level 2.
The contract under which you work will tell you which level you need to meet.
It is possible that you can be working for a prime contractor that has a higher level CMMC requirement than you do. If the prime only flows down select information, a lower CMMC level may apply to you.
To meet CMMC Level 1, you comply with 17 cybersecurity best practices.
Level 1 companies are protecting FCI, not CUI, and can self-certify. Many small businesses in the DIB will only need to meet Level 1 of CMMC.
To meet CMMC Level 1, you annually upload your assessment into the DoD Supplier Performance Risk System (SPRS). Only senior company officials (CEO, CFO, etc.) can make the CMMC Level 1 attestation to SPRS.
Corserva can assess your compliance with the 17 controls and guide you in submitting your assessment results to the government.
To meet CMMC Level 2, you follow all 110 best practices identified in NIST SP 800-171.
A subset of Level 2 companies will be able to self-certify annually, and others will need to hire an outside assessor (C3PAO) to perform the assessment every three years.
Companies that can self-certify will be able to use POA&Ms as an acceptable form of remediation for certain CMMC practices. POA&Ms will not be allowed for the highest-weighted requirements of CMMC.
You write POA&Ms (Plans of Actions with Milestones) to document controls to which you don't currently comply and how you plan to make changes to meet those gaps in the future.
Assuming you take the correct approach when developing a POA&M, it can be a valuable tool to improve the company's security posture. Just don't fall into the trap of using a POA&M as a checkmark to compliance. Instead of a procrastination step, your POA&M should be a roadmap to compliance, clearly outlining what steps you plan to take in the future to fully meet compliance.
In addition to POA&Ms, System Security Plans (SSP) can also be helpful on the path to a stronger security posture.
Corserva can create POA&Ms and SSPs for you and perform NIST 800-171 assessments.
A Certified 3rd Party Assessor Organization (C3PAO) is licensed by the CMMC Accreditation Body (CMMC-AB) to perform CMMC assessments. Only those companies listed as C3PAOs on the CMMC-AB Marketplace are authorized to perform C3PAO assessments.
Within the CMMC-AB Marketplace, note the distinction between an "Authorized C3PAO" and a "C3PAO Candidate." Only companies that are Authorized C3PAOs can perform CMMC assessments. A C3PAO Candidate has begun the process of applying to become a C3PAO but has not yet completed the process.
Level 2 companies requiring a C3PAO assessment can comply with CMMC as follows:
To meet CMMC Level 3, the company must meet more than 110 best practices based on NIST SP 800-172.
All Level 3 companies are required to pass a government-led assessment every three years.
Entities that deal with government-controlled unclassified information must comply with NIST 800-171 or CMMC.
The DoD is gradually transitioning from the NIST 800-171 mandate to CMMC. Per DFARS 252.204-7021, all new DoD contracts must comply with CMMC by October 1, 2025. Before October 1, 2025, the CMMC clause can be included in new contracts when approved by the DoD.
In Requests for Information (RFI) and Requests for Proposals (RFP), the DoD will specify the required CMMC level to which you need to meet. You need to be certified before contract award.
Follow these steps to prepare your company to participate in future government contracts that include CMMC requirements.
Corserva has created an easy process to help you get certified to CMMC at any level.
Corserva offers:
Get started today by requesting a quote for CMMC consulting services.