TL;DR:
The CMMC is a verification mechanism from the DoD designed to enforce the protection of information that is shared with its contractors and subcontractors. Although not yet mandatory, DIB contractors can expect the CMMC to take effect in May 2023.
The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive program from the Department of Defense (DoD) to protect American ingenuity and national security information from increasingly frequent and complex cyberattacks. It provides the DoD with a mechanism to assess and certify cyber-readiness across the hundreds of thousands of contractors and subcontractors that comprise the Defense Industrial Base (DIB).
CMMC will likely take effect in May 2023.
The CMMC program will likely take effect in May 2023, which means any organizations handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) will need to achieve compliance.
This complete guide reviews everything defense contractors need to know about the cybersecurity maturity model certification to prepare for compliance, including its structure, requirements, and certification process.
What is CMMC?
TL;DR:
CMMC compliance is a forthcoming requirement from the DoD for DIB contractors covering three guiding principles: 1) to protect sensitive information; 2) to create a unified cybersecurity standard; and 3) to ensure accountability. The program consists of three progressively advanced levels with different requirements: 1) Foundational; (2) Advanced; and (3) Expert.
At its foundation, three guiding principles define cybersecurity maturity model certification compliance:
- To protect sensitive unclassified information and defense information from cyber threats, cyberattacks, and nation-state actors;
- To create a unified cybersecurity standard for contractors; and
- To ensure accountability for defense companies responsible for protecting government data.
What are the 3 Levels of CMMC 2.0?
TL;DR:
CMMC 2.0 comprises three levels, with contractors required to follow security controls and prove compliance, and in limited cases, the DoD allows POAMs for uncertified contractors or waivers.
The most recent version of the CMMC framework consists of three progressively advanced levels: (1) Foundational, (2) Advanced, and (3) Expert. Each level requires contractors to adhere to a series of security controls and either prove compliance independently or be certified triennially via a third-party or government-led assessment.
Each CMMC level requires contractors to adhere to a set of security controls and prove compliance.
In limited cases, the Department of Defense will allow uncertified contractors to deploy a Plan of Actions & Milestones (POAM) to prove that they will achieve certification by a specific date. Additionally, in even rarer cases, the DoD will allow contractors to ask for a waiver of all requirements. The DoD has yet to release full details regarding POAMs and waivers.
CMMC Level 1: Foundational
Contractors who handle FCI will be required to meet Level 1 CMMC compliance. These contractors will need to align with 17 basic cyber hygiene practices. These controls can be found in the Federal Acquisition Regulation (FAR) 52.204.21 and are further defined in NIST SP 800-171.
Contractors who handle FCI will be required to meet Level 1 CMMC compliance.
Because FCI is not sensitive information, the Department of Defense will allow Level 1 contractors to assess their cybersecurity. It will require them to submit scores and other documentation to the Supplier Performance Risk Systems (SPRS) yearly. Level 1 compliance does not require third-party or government-led assessments.
CMMC Level 2: Advanced
Contractors who handle CUI will be required to meet Level 2 CMMC compliance. These contractors must align with the initial 17 practices from Level 1 and an additional 93 practices in NIST 800-171. As with Level 1 compliance, the DoD will require these contractors to assess their cybersecurity yearly and submit scores and other documentation to the SPRS.
Contractors who handle CUI will be required to meet Level 2 CMMC compliance.
For “prioritized acquisitions,” the DoD will require these contractors to be certified by a CMMC Third Party Assessment Organization (C3PAO) every three years.
The Cyber Accreditation Body (AB), the official accreditation body of the CMMC Ecosystem and the sole authorized non-governmental partner of the DoD in implementing and overseeing the CMMC conformance regime, released the CMMC Assessment Process (CAP), which provides helpful guidance for contractors that are beginning to prepare for their CMMC Level 2 assessment.
CMMC Level 3: Expert
Contractors who handle the most sensitive CUI will be required to meet Level 3 CMMC compliance. These contractors need to align with all 110 NIST 800-171 controls and an additional number of controls (yet to be specified) from NIST 800-172.
Contractors who handle the most sensitive CUI will be required to meet Level 3 CMMC compliance.
Unlike Level 1 and Level 2 compliance, the DoD will require contractors at this maturity level to be certified via a government-led assessment. As of February 2023, the DoD has yet to release further details on the complete enhanced security requirements for this level.
CMMC timeline
TL;DR:
In 2015 the DoD released DFARs; in 2019 the DoD launched CMMC 1.0; in 2021 the DoD launched CMMC 2.0; in May 2023, CMMC 2.0 compliance is required.
In 2015, the Department of Defense released the Defense Federal Acquisition Regulation Supplement (DFARS), a series of cybersecurity and information security requirements for defense industrial base contractors and subcontractors to follow to protect controlled unclassified information and FCI. DFARS requirements include complying with the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 (NIST SP 800-171).
In 2019, with adoption by the defense industrial base lagging and cyber threats growing, the DoD launched the CMMC 1.0, which aimed to ensure enhanced security through a structured third-party certification process. In addition, to enable a phased five-year rollout, the DoD released the DFARS Interim Rule, which requires defense industrial base contractors to work towards NIST 800-171 compliance ahead of cybersecurity maturity model certification.
In 2021, after much backlash and confusion and following a comprehensive review of over 850 public comments, the DoD released CMMC 2.0. There were several notable changes from CMMC 1.0 to CMMC 2.0. Most importantly, the updates simplify the CMMC program and minimize it both in scope and expectations, making it easier to understand and more feasible to adopt.
CMMC assessments could begin showing up in contracts as soon as 2024.
In 2023, the exact timing around the CMMC 2.0 rulemaking process is still up for determination. However, a notice of the proposed rule is coming in May 2023, which means CMMC assessments could begin showing up in contracts as soon as 2024. As CMMC becomes a reality for companies in the DIB, establishing compliance will be critical to protecting existing and future contracts with the DoD.
Who needs to comply with CMMC?
TL;DR:
DoD prime contractors, DoD subcontractors, and any suppliers within the DoD supply chain will need to achieve CMMC compliance to retain and be awarded contracts by the DoD. According to the DoD, CMMC requirements will affect over 300,000 organizations.
Although many contractors are not yet required to obtain CMMC assessments, they are required to follow cybersecurity standards. When the rulemaking is final, all contractors and subcontractors in the DIB must comply with the CMMC program at the level designated in their contract. This includes:
- Prime contractors
- Subcontractors
- Any suppliers within the DoD supply chain
CMMC requirements will affect over 300,000 organizations.
According to the DoD, forthcoming CMMC requirements stand to affect over 300,000 organizations. In the meantime, contractors must comply with the Interim DFARS Rule, which requires a NIST SP 800-171 Basic Assessment.
Who manages subcontractor CMMC compliance?
Prime contractors who work with subcontractors will need to manage their subcontractor supply chain network and keep track of data flow. If a prime contractor shares or discloses CUI, the subcontractor must be Level 2 CMMC compliant. If the prime contractor shares or discloses FCI, the subcontractor must be Level 1 CMMC compliant.
There are no subcontractor compliance requirements if the prime contractor does not share or disclose CUI or FCI. Prime contractors will require a CMMC subcontractor risk management platform to ensure compliance.
When will the CMMC rulemaking be finalized?
TL;DR:
Although the date is subject to change, the final rule is expected to take effect in May 2023. This means CMMC assessments could show up in contracts as soon as 2024.
Although it’s been almost four years since the Pentagon announced they planned to begin certifying DoD contractors as early as 2020, rolling out the program has been complex.
The final rule will take effect in May 2023.
However, the DoD has indicated that the final rule will take effect in May 2023. This date is subject to change, but contractors should begin taking steps toward CMMC compliance as a precaution.
What happens if I don’t comply with CMMC?
TL;DR:
Contractors that don’t comply with CMMC will lose existing DoD contracts, won’t be able to bid for new contracts, and won’t be able to get a contract award until they can demonstrate compliance. Contractors who are knowingly noncompliant may be held accountable by the DOJ.
Once the notice of proposed rulemaking is published, the program’s requirements will likely take place as part of a phased rollout. Any contractors that don’t comply with the CMMC framework will lose any existing DoD contracts, won’t be able to bid for any new contracts, and won’t be able to get a contract award until they can demonstrate compliance with the required level in the contract. More details on implementation will be available following the forthcoming rulemaking.
CMMC compliance readiness will be a critical differentiator once the rules take effect.
Recent reports indicate that many contractors aren’t following the required NIST cybersecurity controls, so CMMC compliance readiness will be a critical differentiator once the rules take effect.
The Department of Justice (DOJ) has also launched the Civil Cyber-Fraud Initiative, which will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. That means contractors who knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or violate obligations to monitor and report cybersecurity incidents and breaches will be held accountable.
How can I get CMMC certified?
TL;DR:
CMMC compliance begins with preparation and confidence–scope your organization adequately, conduct a NIST 800-171 Self-Assessment, document gaps, remediate them, and collect evidence. Then, hire a C3PAO to conduct a certification assessment, which consists of four phases.
As the proposed rulemaking date nears, preparation and confidence are essential for success. Contractors with the necessary IT staff and CMMC resources may opt to prepare in-house. To do so, contractors must scope their organization adequately, conduct a NIST 800-171 Self-Assessment, document gaps, remediate them, and collect evidence.
An automated assessment and evidence-collection platform will be necessary.
In most cases, having an automated assessment and evidence-collection platform will be helpful–if not necessary–for this process. Once contractors are confident in their compliance status, they can hire a C3PAO to conduct a certification assessment.
Contractors can expect a C3PAO assessment to consist of the following four phases:
- Phase 1: This phase starts with pre-assessment planning and includes gathering initial scope information, completing the artifact intake form, identifying assessment team members, developing a rough order of magnitude (ROM) and assessment plan, completing and approving the assessment plan, and conducting a readiness review.
- Phase 2: In this phase, the C3PAO conducts the CMMC Assessment, which begins with an opening meeting between your organization and the assessment team. Next is the analysis and review of objective evidence related to the CMMC processes and practices, a discussion of any preliminary findings, and the final output. Again, having an automated assessment and evidence-collection platform that the C3PAO can tap into will make this phase much more manageable.
- Phase 3: This phase covers post-assessment reporting. Assessors gather results and send them with recommendations to the OSC Sponsor and the CMMC-AB, which triggers a CMMC-AB QA review. Based on the review, the CMMC-AB issues or denies a level recommendation.
- Phase 4: This phase may require remediation if the assessment identifies that a company falls a few practices short of the target CMMC performance level. The C3PAO will forward the remediation request to CMMC-AB for approval. If approved, contractors will have 90 days to address any shortfalls in performance.
How Isora GRC from SaltyCloud can help
TL;DR
Isora GRC from SaltyCloud is the powerfully simple CMMC solution, making regulatory compliance easier while helping organizations improve their cyber resilience.
The race against time to prepare for CMMC is intensifying as organizations attempt to safeguard sensitive data and meet DoD requirements ahead of anticipated implementation in May 2023.
Knowing where sensitive data resides, if it’s protected, and whether it meets the CMMC requirements warrants an agile and lightweight solution that transcends outdated GRC platforms and tedious manual spreadsheets.
Isora GRC from SaltyCloud is the powerfully simple solution changing how information security teams manage governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.
- Ace CMMC compliance audits with collaborative surveys, risk assessments, dynamic dashboards, and insightful reporting for auditors and leadership.
- Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
- Protect CUI and other sensitive data with a comprehensive host inventory, robust API integrations, and continuous assessments.
- Minimize third-party risk with a complete vendor inventory, vendor risk assessment surveys, and vendor approval workflows.
Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.
Discover how companies use Isora GRC from SaltyCloud to ease the pressure of CMMC.