The Cybersecurity Maturity Model Certification (CMMC) is a training, certification, and third-party assessment program of cybersecurity for DoD contractors (also referred to as the Defense Industrial Base or DIB). Why should you care about CMMC? FAR and DFARS clauses require it. It will be a factor in proposal scores (e.g. the draft Polaris GWAC scores up to 8,500 points for "Organizational Risk Assessment" compared to 750 points for CMMI Level 3 Certification). NASA, DHS, GSA, and other government organizations are expected to follow DoD with implementation of CMMC. These are the important bullet points for CMMC:
FAR 52.204-21. Basic Safeguarding of Covered Contractor Information Systems.
DFARS clause 252.204.7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (October 2016) required compliance with NIST SP 800-171 no later than December 31, 2017.
DFARS clause 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements (November 2020). Suppliers are required to perform an assessment for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order, at Basic, Medium, or High level in accordance with the NIST SP 800-171 DoD Assessment Methodology and submit their score (not more than 3 years old) in the Supplier Performance Risk System (SPRS). A Basic assessment is a self-generated score. A Medium assessment is performed by the Government. A High assessment includes everything in a Medium assessment as well as validation of the contractor's SSP.
DFARS clause 252.204.7020 NIST SP 800-171 DoD Assessment Requirements (November 2020). Defines Basic, Medium, and High assessments.
DFARS clause 252.204-7021 Cybersecurity Maturity Model Certification Requirements (November 2020). Requires CMMC certificate at the CMMC level appropriate for the information that is being flowed down to the contractor.
CMMC v1.0 was released on January 31, 2021.
CMMC v2.0 was released on November 4, 2021. Per Town Hall sessions held by the Deputy DoD CIO (David McKeown) in February 2022, CMMC v2.0 is not expected to be finalized until it completes the DoD rulemaking process which could take up to 24 months. The new version simplified the program:
Level 1. Foundational
For contractors and subcontractors that only handle Federal Contract Information (FCI) as defined in the FAR. The DoD estimates that about 140,000 such companies exist in the DIB.
17 security controls aligned with FAR 52.204-21.
Level 2. Advanced
Allows CUI handling.
aligns with NIST SP 800-171 rev 2. 110 security controls. Rumor that the "delta 20" which were in the CMMC v1.0 Level 3 will be added in to NIST SP 800-171 version 3. These include FAR Clause 52.204-21, NIST SP 800-53 Rev. 4, NIST CSF v1.1). Includes Level 1 requirements.
triennial 3rd party and government-led assessments for some Level 2 programs. Original estimate is that 40,000 companies will require 3rd party assessment. Per February 10, 2022 Town Hall, Deputy DoD CIO David McKeown said further analysis has shown all 80,000 CMMC Level 2 DIB contractors will require third-party assessments.
Level 3. Expert.
NIST SP 800-172 Enhanced Security Requirement for Protecting Controlled Unclassified Information, a supplement to NIST SP 800-171. Includes Level 2 requirements.
Only about 500 companies out of 100,000 in the DIB will be subject to Level 3 certification.
triennial 3rd party and government-led assessments via the Defense Contract Management Agency Defense (DCMA) Industrial Base Cybersecurity Assessment Center (DIBCAC).
"CMMC eMASS" is expected to be available to the DIB to store assessment artifacts, create POA&Ms, and maintain the System Security Plan (SSP).
A Plan of Action and Milestones (POA&M) will be allowed for up to six months for non-compliant controls. POA&Ms for the highest-weighted requirements will not be allowed. A minimum score will be required to support certification with POA&Ms. Waivers will be allowed on a very limited basis, accompanied by strategies to mitigate CUI risk. Waivers will be time bound and require senior DoD approval.
The Department of Justice announced in their Civil Cyber-Fraud Initiative that they will utilize the False Claims Act to pursue cybersecurity related fraud by government clients (which includes falsely claiming compliance with CMMC). https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative
The government may offer incentives for DoD contractors who comply earlier than the CMMC v2.0 implementation deadline (or when it makes it through the rulemaking process and the DFARS clauses are allowed in contracts).
DoD will lay out the new policies, such as waiver processes, through Title 32 National Defense regulations. The Pentagon will also codify the policy into Title 48 Federal Acquisition Regulations (FAR) and Defense Acquisition Regulation Supplement (DFARS) so contracting officers can use CMMC 2.0 in acquisitions. This could take up to 2 years (expect CMMC 2.0 to be in contracts by fall 2023). Rulemaking under 32 CFR is required to establish the CMMC program. Rulemaking under 48 CFR is required to update the contractual requirements in the DFARS to implement the CMMC 2.0 program. Until rulemaking formally implements CMMC 2.0, the DIB's participation in CMMC will be voluntary.
OSC. Organization Seeking Certification
C3PAO. CMMC Third-Party Assessor Organization. Contract with OSCs, hire and train certified assessors, schedule assessments, manage assessments.
Assessors. Certified CMMC Professionals (CCP) and Certified CMMC Assessors (CCA). Credentialed to conduct assessments at a particular level (1, 2, or 3).
RP. Registered Practitioner. Individuals that provide advice, consulting, and recommendations to their clients. Do not conduct Certified CMMC Assessments.
RPO. Registered Provider Organization. Implementers and consultants that assist companies with CMMC. Do not conduct Certified CMMC Assessments.
LPP. Licensed Partner Publisher. Publish educational courses and contents related to CMMC.
LTP. Licensed Training Partner. Provide education and training services related to CMMC.
By Eric Skiff, Chief Technology Officer