What Is the DoD’s Cybersecurity Maturity Model Certification (CMMC)
When the Department of Defense (DoD) announced it was creating a framework for cybersecurity policy assessment and certification, and that certifications would start to be required for contracts in the fall of 2020, many businesses were caught off guard. In fact, many today are still largely unaware of the new CMMC requirement or how they can become certified.
So, let’s cover the basics to make sure your business is ready for one of the most important new DoD requirements to emerge in many years (one that may soon be replicated by military forces of other nations as well as our own federal civilian agencies).
What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification.” It is a new requirement for DoD contractors to ensure that they and companies within their supply chain meet cybersecurity standards. In the past, government contractors had a self-assessment model to verify they met standards. The DoD wants to move away from self-assessment and into a more formal framework that includes certification from DoD-approved organizations. The benefit of this approach is that it better ensures overall cybersecurity practices throughout the DoD community and helps protect Controlled Unclassified Information (CUI) that exists in DoD partner networks.
The certification process is built on existing requirements such as NIST SP 800-171, NIST SP 800-53, AIA NAS9933, private sector contributions, and input from academia.
CMMC consists of five levels to measure the “maturity” of government contractor cybersecurity practices. These levels will range from “Basic Cybersecurity Hygiene” to “Advanced.” This allows the DoD to structure future contracts based on these cybersecurity levels. The ultimate impact will be that a government contractor will need to be certified at a certain level in order to be eligible to bid on a DoD contract opportunity
What are the CMMC levels?
As noted above, there are five security levels within CMMC. They are:
- Level One: Basic Cyber Hygiene
- Requires an organization to perform a specified set of practices.
- Consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21.
- Level Two: Intermediate Cyber Hygiene
- Requires an organization to establish and document practices and policies.
- Serves as a progression from Level 1 to Level 3, and consists of security requirements specified in NIST SP 800-171.
- Level Three: Good Cyber Hygiene
- Requires an organization to establish, maintain, and resource a plan demonstrating the management of activities for practice implementation.
- Focuses on the protection of CUI (NIST SP 800-171 and DFARS clause 252.204-7012)
- Level Four: Proactive
- Requires that an organization review and measure practices for effectiveness and take corrective action when necessary.
- Focuses on the protection of CUI from Advanced Persistent Threats (APTs) and encompasses a subset of the enhanced security requirements from NIST SP 800-171B as well as other cybersecurity best practices.
- Level Five: Optimizing
- Requires an organization to standardize and optimize process implementation across the organization.
- Increase in the depth and sophistication of cybersecurity practices.
How can my business become certified?
Right now the DoD is building a network of organizations that will provide certification services. Your business will need to work directly with one of these accredited and independent third party commercial certification organizations to request and schedule your CMMC assessment.
Based on the qualifications of each level, your company will tell the certification organization which level you want to be certified for. The level of certification will be determined by requirements. Not all businesses will qualify for each level.
Once the certification has been performed and approved, your company will be awarded the appropriate CMMC certification.
How do I request certification assessment?
We expect that there will be a number of companies providing 3rd party CMMC assessment and certification.
I am a subcontractor on a DoD contract. Do I need to be certified?
Yes. ALL companies doing business with the U.S. Department of Defense need to be certified. The goal is to protect the DoD throughout the supply chain. Proactive subcontractors will be seen as an asset to prime contractors. If you are a prime contractor, this means you will need to be very assertive in helping your subcontractors understand what they need to do. Failure to comply may result in those subcontractors being ineligible to participate in future contract opportunities.
How often does my Organization need to be reassessed?
The duration of a certification is still under consideration.
Cybersecurity Maturity Model Certification (CMMC)
ISMS Apps Technology
Recent Posts
CMMC Is Here, But NIST 800-171 Isn’t Going Away Anytime Soon
The announcement of CMMC in Spring 2019 created confusion for contractors and suppliers regarding cybersecurity and compliance requirements. With the release of CMMC V1 and its implementation plan, it’s now clear that NIST 800-171 isn't [...]
Who Pays For CMMC Certification? What Will It Cost?
With the release of the Cybersecurity Maturity Model Certification (CMMC), government contractors have asked, "How much will certification cost?" The Office of the Under Secretary of Defense for Acquisition & Sustainment, Cybersecurity Maturity Model Certification, [...]
Department of Defense (DoD) Finalizes CMMC for Government Contractors (Federal Computer Week)
According to an article in Federal Computer Week (Pentagon finalizes CMMC standard for contractors), the Pentagon has released the official version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) standard that Department of Defense (DoD) [...]