Cybersecurity Maturity Model Certification (CMMC) Overview
What is CMMC and Why Does It Matter?
Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework aimed at enhancing protection of contractors to the United States Department of Defense (DoD). It builds upon existing federal cybersecurity requirements and adds certification by a third party for some contracts. CMMC verbiage is being added to new contracts over the next few years and will be have mandatory compliance by all prime- and sub-contractors working under those contracts. This requirement may have an effect on which contractors are chosen and could end up being a “shuffling of the cards” in terms of where new business is awarded throughout the supply chain.
The certification requirements are driven by cybersecurity threats that permeate the DoD supply chain and the vulnerability of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Other federal cybersecurity requirements allow for self-attestation of implementation. Post-cybersecurity-incident investigations found in many cases that the mandated protections contractors had attested to were not fully implemented. Many of these incidents resulted in exposure of DoD information to unapproved parties / organizations / governments.
Future DoD solicitations and requests for proposals will specify a CMMC certification level. Primes will pass this requirement to sub-contractors. It is also likely that CMMC requirements will find their way into contracts from other branches of the US government over the next several years.
There are three CMMC levels:
Level 1 = Foundational
Level 2 = Advanced
Level 3 = Expert
Level 1 represents basic cybersecurity and is attained though self-attestation, just like DFARS regulations today.
Level 2 will likely require a third-party assessor’s review and recommendation for certification, depending on the sensitivity of the CUI being handled. Considered advanced, there are significant requirements to truly attain a Level 2 stance and certification.
Level 3 mandates external assessment. This level is the “gold standard” of cybersecurity and is aimed at defending an organization from Advanced Persistent Threats (APTs).
Each maturity level is cumulative of the level(s) below and adds new requirements to make for an increasingly stronger cybersecurity stance.
CMMC is based on the National Institute of Standards and Technology (NIST) Special Publications 800-171 Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information.
CMMC is an extension of existing Department of Defense Federal Acquisition Requirements, DFARS 252.204-7012, with several additions including assessment by a third-party assessor.
CMMC became a requirement on limited contracts open for bid in mid-2020. Each year more contracts will contain CMMC requirements with all US DoD contracts containing this language by the end of 2025.
Your Partner in Cybersecurity Maturity Model Certification!
Located in Blaine, Minnesota, Link2Compliance is currently performing requisite steps to certify assessors and become a Certified 3rd Party Assessor Organization (C3PAO).