What Is the DoD’s Cybersecurity Maturity Model Certification (CMMC)
When the Department of Defense (DoD) announced it was creating a framework for cybersecurity policy assessment and certification, and that certifications would start to be required for contracts, many businesses were caught off guard. In fact, many today are still largely unaware of the new CMMC 2.0 requirements or how they can become certified.
So, let’s cover the basics to make sure your business is ready for one of the most important new DoD requirements to emerge in many years (one that may soon be replicated by military forces of other nations as well as our own federal civilian agencies).
What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification.” It is a new requirement for DoD contractors to ensure that they and companies within their supply chain meet cybersecurity standards. In the past, government contractors had a self-assessment model to verify they met standards. The DoD wants to move away from self-assessment and into a more formal framework that includes certification from DoD-approved organizations. The benefit of this approach is that it better ensures overall cybersecurity practices throughout the DoD community and helps protect Controlled Unclassified Information (CUI) that exists in DoD partner networks.
The certification process is built on existing requirements such as NIST SP 800-171, NIST SP 800-53, AIA NAS9933, private sector contributions, and input from academia.
CMMC 2.0 consists of 3 levels to protect Federal Contract Information (FCI), Controlled Unclassified Information (CUI), and CUI/Critical CUI for organizations in the DoD supply chain. These levels will range from “Foundational” to “Expert.” The ultimate impact will be that a government contractor will need to be certified at a certain level in order to be eligible to bid on a DoD contract opportunity.
What are the CMMC levels?
As noted above, there are three security levels within CMMC. They are:
- Level One: Foundational
- Requires an organization to meet the requirements for 17 practices for 6 policy domains.
- Consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21.
- Level Two: Advanced
- Requires an organization to meet the requirements for 110 practices for 14 policy domains.
- Consists of security requirements specified in NIST SP 800-171 Rev. 2.
- Level Three: Expert
- Requires an organization to meet the same 110 practices as Level Two (NIST SP 800-171) plus a subset of NIST SP 800-172 controls
- The DoD is still determining the full requirements and it is currently at 130 practices/controls
- Focuses on the protection of CUI from Advanced Persistent Threats (APTs)
How can my business become certified?
Your business will need to get accredited through one of the CMMC third-party assessment organizations once your organization is ready for certification.
Once the certification has been performed and approved, your company will be awarded the appropriate CMMC certification.
How do I request certification assessment?
We expect that there will be a number of companies providing 3rd party CMMC assessment and certification. For more information on certification, visit cyberab.org.
I am a subcontractor on a DoD contract. Do I need to be certified?
It is important to note that all current DoD contractors and subcontractors must be compliant with current contracts, most likely meaning compliance around the NIST SP 800-171. If you haven’t already done so or still working on certain policies or practices, visit our tool to help you get started.
Level 1 and a subset of organizations at Level 2 can be compliant with CMMC 2.0 requirements through self-assessments.
Other Level 2’s (Based on contract requirements like the DFARS 7012) will need to pass a third-party or government-led assessment.
All Level 3’s will need to get a CMMC certification.
Proactive subcontractors will be seen as an asset to prime contractors. If you are a prime contractor, this means you will need to be very assertive in helping your subcontractors understand what they need to do. Failure to comply may result in those subcontractors being ineligible to participate in future contract opportunities.
How often does my Organization need to be reassessed?
The duration is currently on a triennial basis.
What is the current timeline for CMMC implementation?
On December 26,2023, the Department of Defense (“DoD”) published the Proposed Final Rule for the Cybersecurity Maturity Model Certification (“CMMC”) program. The Proposed Final Rule is currently undergoing the 60-day comment period, which ends on February 26,2024. The implementation for CMMC will be phased in through 4 phases.
Implementation Details
Phased Implementation: Ultimately, the CMMC rules will be implemented by making the required certifications a condition of receiving award of a federal contract. The proposed rule lays out an implementation plan that consist of four phases: Phase 1 will require CMMC Level 1 or Level 2 self-assessments under applicable solicitations; Phase 2 will require CMMC Level 2 certifications assessments; Phase 3 will include CMMC Level 3 certifications assessments; and Phase 4 will include full implementation for all applicable solicitations.
Timeline:
- Phase 1 begins on the effective date of the DFARS rule.
- Phase 2 begins six months after the start date of Phase 1.
- Phase 3 begins one calendar year after the start date of Phase 2.
- Phase 4 begins one calendar year after the start date of Phase 3.
Under this phased plan, the DoD intends to include CMMC requirements for Levels 1, 2, and 3 in all solicitations on or after October 1, 2026.
Cybersecurity Maturity Model Certification (CMMC)
ISMS Apps Technology