The CMMC is a capability-based maturity framework that is used to define a progression of cybersecurity maturity for an organization. This model leverages multiple sources of information, to include current laws, regulations, threat profiles, and best practices.
What is CMMC?
The Cybersecurity Maturity Model Certification is being implemented to ensure contractors handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) while performing services for the Government. FCI is any information provided by or generated from the Government not intended for public release, where CUI is synonymous with unclassified or FOUO information. Publications FAR 52.204-21 and DFARS 252.204-7012 lay out the requirements for the handling of FCI and CUI data, and you may be familiar with the DFARS 7012, which focused on NIST SP 800-171 guidance.
Why the DoD Created CMMC
Department of Defense (DoD) contractors are now well aware of the cybersecurity mandates that have been sweeping across the defense industry over the past several years. In 2015, The U.S. Department of Defense published the Defense Acquisition Federal Regulation Supplement, known as DFARS, which mandates that private DoD Contractors adopt cybersecurity standards according to the NIST SP 800-171 cybersecurity framework. This is all part of a government-led effort to protect the U.S. defense supply chain from foreign and domestic cyber threats, and reduce the overall security risk of the sector.
The CMMC space is still evolving. All definitive guidance is solely from Office of the Under Secretary of Defense for Acquisition and Sustainment. The CMMC Accreditation Body will be starting to establish the Certified Third Party Assessment Organization (C3PAO) certification processes. With the CMMC certification, contractors will now be subject to independent audits that are conducted by a C3PAO and proof of certification must be provided upon contract award, or the contract cannot be awarded to the contractor.
Does this mean you cannot bid or support contracts today? No. But what this does mean is that if you bid on a contract that requires CMMC compliance, you cannot take on that work until you comply. The time to plan is now. During FY21, the Government will be releasing the first 15 contracts that will require CMMC compliance. Rollout will occur over 5 years and by FY26, this requirement will be found on all Government contracts applying to over 300,000 contractors. This not only applies to primes, but all sub-contractors in the supply chain. The CMMC is split into 5 levels of maturity, depending on the type of data that is handled. Not all companies will be held to the same level of maturity.
What Does Non-Compliance Mean to You?
- Revenue Loss
- Proposal Exclusion
- Stop Work Order
- Breach of Contract Lawsuits
- Supply Chain Disruption
- False Claims Act Actions
- Reputational Damages
- Adverse Performance Reviews
Explanation of CMMC Levels
- Basic cybersecurity
- Subset of universally accepted common practices
- Limited resistance against data exfiltration
- Limited resilience against malicious actions
- Inclusive of universally accepted cybersecurity best practices
- Resilient against unskilled threat actors
- Minor resistance against data exfiltration
- Minor resilience against malicious actions
- Coverage of all NIST SP 800-171 controls
- Additional practices beyond the scope of CUI protection
- Resilient against moderately skilled threat actors
- Moderate resistance against data exfiltration
- Moderate resilience against malicious actions
- Comprehensive knowledge of cyber assets
- Advanced and sophisticated cybersecurity practices
- Resilient against advanced threat actors
- Defensive responses approach machine speed
- Increased resistance against and detection of data exfiltration
- Complete and continuous knowledge of cyber assets
- Highly advanced cybersecurity practices
- Reserved for the most critical systems
- Resilient against the most-advanced threat actors
- Defensive responses performed at machine speed
- Machine performed analytics and defensive actions
- Resistant against, and detection of, data exfiltration
- Autonomous knowledge of cyber assets