Everything about the Cybersecurity Maturity Model Certification (CMMC)

Table of Contents

  1. Introduction
  2. What’s the history of the CMMC?
  3. How does the CMMC work?
    1. Level 1, Foundational
    2. Level 2, Advanced
    3. Level 3, Expert
  4. Do I need to comply with the CMMC?
  5. What happens if I don’t comply with the CMMC?
  6. When will the CMMC rulemaking be finalized?
  7. How can I prepare for the CMMC?
  8. What does a CMMC certification entail?
  9. How does SaltyCloud help with the CMMC?

Introduction

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity model created by the Department of Defense (DoD) to protect American ingenuity and national security information. It gives the DoD a mechanism to assess and certify cyber readiness across the hundreds of thousands of contractors and subcontractors that make up the Defense Industrial Base (DIB).

In this guide, we’ll go over everything you need to know about the CMMC, including its history, structure, requirements, and certification process.

What’s the history of the CMMC?

In 2016, the DoD released the Defense Federal Acquisition Regulation Supplement (DFARS), a series of cybersecurity requirements that contractors and subcontractors in the DIB had to follow to protect Controlled Unclassified Information (CUI). It includes complying with the National Institute of Standard and Technology (NIST) Special Publication (SP) 800-171.

In 2019, with adoption by the DIB lagging, but with cyber threats growing, the DoD launched the CMMC 1.0, which aimed to ensure enhanced security through a structured third-party certification process. In addition, to enable a phased five-year rollout, the DoD also released the DFARS Interim Rule, which requires contractors to work towards NIST 800-171 compliance ahead of CMMC certification.

In 2021, after much backlash and confusion, and following a comprehensive review of over 850 public comments, the DoD updated the model and dubbed it “CMMC 2.0.” The updates simplify the program and minimize it in both scope and expectations, making it easier to understand and more feasible to adopt. If you’d like to learn more about what changed from CMMC 1.0 to CMMC 2.0, we wrote CMMC 2.0 is Here: 6 Key Updates.

How does the CMMC work?

The updated version of the CMMC consists of three progressively advanced cybersecurity levels: (1) Foundational, (2) Advanced and (3) Expert. Each level requires contractors to adhere to a series of security controls and either prove compliance through self-assessments or be certified triennially via a third-party assessment or government-led assessment (with full details yet to be finalized).

In limited cases, the DoD will allow uncertified contractors to deploy a Plan of Actions & Milestones (POAM) to prove that they will achieve certification by a certain date. Additionally, in even rarer cases, the DoD will allow contractors to ask for a waiver of all CMMC requirements. The DoD has yet to release full details regarding POAMs and waivers, but the basic requirements are as follows:

Level 1, Foundational

Contractors who handle Federal Contract Information (FCI) will be required to meet Level  1. They will need to align with 17 basic cyber hygiene practices from NIST 800-171. Because FCI is not considered sensitive information, the DoD will allow these contractors to assess their own cybersecurity and require them to submit scores and other documentation to the Supplier Performance Risk System (SPRS) on a yearly basis. No third-party or government-led assessments will be required for Level 1.

Level 2, Advanced

Contractors who handle CUI will be required to meet Level 2. They will need to align with the initial 17 practices from Level 1 and the additional 93 practices (aka controls) contained in NIST 800-171. As with Level 1, the DoD will allow these contractors to assess their own cybersecurity but will require them to submit scores and other documentation to the SPRS on a yearly basis. For “prioritized acquisitions,” the DoD will require these contractors to be certified by a CMMC Third Party Assessment Organization (C3PAO) every three years.

Level 3, Expert

Contractors who handle the most sensitive CUI will be required to meet Level 3. They will need to align with all 110 NIST 800-171 controls and an additional number of controls (yet to be specified) from NIST 800-172. Unlike Level 1 and Level 2, the DoD will require contractors at this level to be certified via a government-led assessment. More details are still to come on the specific requirements for this level.

Do I need to comply with the CMMC?

When the rulemaking is finalized, all contractors and subcontractors in the DIB will be required to comply with the CMMC at the relevant level. In the meantime, contractors need to comply with the DFARS Interim Rule which requires them to conduct a NIST 800-171 Basic Assessment and submit a score into the SPRS using the DoD Assessment Methodology. If you’d like to learn how to conduct the NIST 800-171 Basic Assessment, we wrote the NIST 800-171 Basic Assessment Complete Guide.

What happens if I don’t comply with the CMMC?

In short, you’ll lose any existing DoD contracts and you won’t be able to bid for any new ones, let alone get a contract award, until you meet the assessment and certification requirements at the relevant level.

When will the CMMC rulemaking be finalized?

The DoD has indicated that the rulemaking will take anywhere from 9-24 months from the release date of the CMMC 2.0. This means that the final rule may be published as early as August 2022 or as late as November 2023.

How can I prepare for the CMMC?

Going from 0 to 100% requires a well-oiled compliance workflow. Contractors need to adequately scope their organization, conduct a NIST 800-171 self-assessment, document gaps, implement remediation strategies, and collect process evidence. If you’d like to learn what practical steps you can take, we wrote The Step-by-Step Guide to Prepare for the CMMC.

What does a CMMC certification entail?

The DoD has yet to release certification guidelines or processes for the government-led assessments introduced in CMMC 2.0. However, as far as third-party assessments go, we can expect them to be very similar, if not identical, to what was previously discussed. In order to receive a third-party certification, a CMMC Accreditation Body (CMMC-AB) Certified Assessor (CA) at a C3PAO will need to audit your environment. The process may take anywhere from two days to one week depending on the size of your environment and number of locations.

On the first day of the audit, the CA will give a presentation to the management team and all relevant stakeholders about the objective of the audit along with a plan for conducting the audit.

During the course of the audit, the CA will review policies, practices, and plan documentation. They will request and analyze any evidence related to the implementation of each required practice (e.g., syslogs, screenshots, data points, paper trails, emails, etc.). They will also interview relevant stakeholders and employees.

After the CA has completed their audit, they will submit their findings and recommendations to the CMMC-AB for final approval. Once the CMMC-AB approves the certification, the audited environment will be certified and allowed to receive contract awards from the DoD.

How does SaltyCloud help with the CMMC?

SaltyCloud offers Isora GRC, a Governance, Risk, and Compliance (GRC) Assessment Platform that makes it easier for contractors to meet the cybersecurity requirements of the CMMC. It provides the ability to conduct assessments against the prescribed security frameworks (e.g., NIST 800-171, NIST 800-172, etc.), collect evidence, access dashboards, and export compliance reports and Plans of Action and Milestones (POAMs). SaltyCloud is a CMMC Registered Provider Organization (RPO). Learn more about Isora GRC.

Conclusion

Over the last few years, the DoD has made strides on its mission to dynamically enhance DIB cybersecurity to meet evolving threats and safeguard the information that supports and enables its warfighters. Although the CMMC has hit a few bumps in the road, its most recent November 2021 updates indicate that the modelis here to stay and contractors should be readying themselves for when the rules are finalized, which could happen as early as August 2022.

Over the past few years, the Defense Industrial Base (DIB) and the Department of Defense (DoD) supply chain has been the target of cyberattacks from nation-states and other malicious actors. In response to this growing threat and a need to better assess and enhance the DIB cybersecurity maturity, the DoD introduced the Cybersecurity Maturity Model Certification (CMMC). Specifically, its purpose is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

The CMMC is not straightforward, requiring a lot of time and preparation. However, with some basic understanding of the requirements, you can effectively prepare your organization for certification. In this guide, we cover everything you need to know about the CMMC.

Recommended