CMMC DOD Framework Guide

More and more, information security and cybersecurity efforts in organizations all over the world are impacted by a growing web of connected vendors. In turn, it has become hypercritical that organizations not only understand how mature their vendors’ security programs are but also have a hand in making them better. Otherwise, they run the risk of a compromise that (on paper) wasn’t their organization’s fault.

And that’s the basis of the CMMC. With the CMMC, the DOD is doubling down on knowing where its contractors’ security programs stand and is using the certification as its audit framework.

Here is a breakdown of the CMMC and its requirements.

CMMC DOD Framework Guide

About the CMMC

  • CMMC stands for the Cyber Cybersecurity Maturity Model Certification.
  • Version 1.0 of CMMC was released to the public on January 31, 2020.
  • It is meant to be incorporated into Defense Federal Acquisition Regulation (DFARS—DOD purchasing) and used to award contracts.

Definitions

  • CUI – Controlled but Unclassified Information – “Information that the government creates or possesses, or that any entity creates or possesses for on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
    • Examples of CUI are engineering drawings, plans, schematics, and technical descriptions. The aggregate loss of CUI presents a significant risk to the Department of Defense.
  • DIB – Defense Industrial Base – Made up of approximately 300,000 contractors and subcontractors working for the Department of Defense.
  • DFARS – Defense Federal Acquisition Regulation Supplement – The system that manages the investments of the US in technology, programs, and product support necessary to achieve the national security strategy to support the US Armed Forces.

Whom CMMC Applies To

  • Contractors in the DIB.
  • The prime contractor or DOD will define the level of CMMC required in the RFP.

When Contractors Will Start to See CMMC Requirements

  • By September 2020, some contractors will likely start to see request for proposals (RFP’s) requiring a basic level of CMMC compliance.
  • By 2026, all new DOD contracts will contain the CMMC requirements

More Detail About the CMMC Levels

  • Each level encompasses the prior level’s requirements:
    • Level 1 – 17 requirements – Requires only foundational security measures
    • Level 2 – 72 requirements – Transition to protecting CUI
    • Level 3 – 130 requirements – The most like NIST SP 800-171 (protecting CUI)
    • Level 4 – 156 requirements – Established cybersecurity best practices in protecting CUI
    • Level 5 – 171 requirements – Advanced level with an established, mature, and progressive program
  • https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf
    • Outlines the specific requirements of each level

Cybersecurity Maturity Model Certification (CMMC)

What Determines the Level of CMMC in the Contract?

  • The sensitivity of the CUI determines the level of CMMC required by the DOD.

What Happened to NIST SP 800-171?

  • As of January 1, 2020, it had a 0% rate of full compliance for any DOD vendor.
    • CMMC will be required at a given level going forward instead of NIST 800-171, however, NIST 800-171 is not formally going away immediately and may still be a regulatory requirement.
  • If you comply with CMMC level 3, it encompasses NIST SP 800-171.

What are the differences between CMMC and NIST SP 800-171?

  • Under CMMC, contractors can no longer self-certify as they could under NIST 800-171.
  • NIST 800-171 had only one level where CMMC will have five levels.
  • The number of contractors that will see CMMC requirements will likely be larger than those that saw NIST 800-171 requirements. Contractors will likely be at lower levels if they had no prior requirements.
  • CMMC is a contractual requirement vs NIST 800-171 being a regulatory (law) and contractual requirement

How to Get Certified

  • The CMMC Accreditation Body (AB) will accredit third-party assessment organizations (C3PAOs) and individual assessors. Only these assessors can certify a given organization to a level of CMMC.
  • By mid-2020, lists of available assessors will be available.
  • This assessment is good for three years.

What if I Get Certified at a CMMC Level and Find That the Contract Requires a Higher One?

  • The company attempting to gain the contract will then have to re-certify at the required level.

Key Takeaways for CMMC

  • Communicate with your DOD contacts and prime contractors about what to expect.
  • Start early. Even the lowest level has a base set of 17 controls.

Resources