Cybersecurity Maturity Model Certification (CMMC)

What is Cybersecurity Maturity Model Certification?

The Office of the Under Secretary of Defense for Acquisition & Sustainment has released the Cybersecurity Maturity Model Certification program.  The program will be made effective in new programs released by the Department of Defense (DoD) and will be a requirement for product and service providers.  This program has been formed to enhance the protection of unclassified information within the supply chain.  This information can be broken down into the following categories:

• Federal Contract Information (FCI) – Information provided by or for the Government that is not intended for public release
• Controlled Unclassified Information (CUI) – Information that requires safeguarding as defined by various government policies, regulations and laws.

The CMMC is a cooperative effort between the DoD and industry to provide a set of processes and practices to protect information from multiple cybersecurity standards and frameworks. 

The Importance of CMMC

The security of CUI in the the Defense Industrial Base (DIB) has long been a source of concern for the DoD.  By establishing the CMMC framework, a criteria for cybersecurity requirements and basic cyber hygiene can be established for DoD contractors. 

CMMC requirements are largely based on NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.  There are however, other requirements including FAR 52.204-21.

Changes in Certification Requirements CMMC 2.0

In March 2021, an internal review of CMMC’s implementation resulted in a refinement of CMMC policy and program implementation.   These changes resulted in reducing CMMC levels from five to three.  The levels currently proposed are:

• Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self assessment.
• Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 standard. This is a set of security practices and security standards for non-governmental organizations that handle CUI.  It requires that a third party assessment by conducted every three years for information deemed critical for national security.  It also requires an annual internal assessment
• Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 standard and includes further controls.  There is also a requirement for triennial assessments conducted by government representatives.  

The newly released requirements for assessments should support businesses in adopting CMMC.  The new requirements will reduce costs for companies at Level 1 and some companies at Level 2 by allowing self assessments to demonstrate compliance.

Emphasis has also been placed on increasing the oversight of third-party assessors to ensure professional and ethical standards.  Third party assessors will receive certification through the CMMC accreditation body.

Increased Flexibility in Implementation

In an attempt to establish a more collaborative partnership, the DoD will now allow companies under certain circumstances to achieve certification by making Plans of Actions and Milestones (POAMs).  POAMs are applied to identified deficiencies in an organization’s current level of cyber security application.  Originally  POAMs were not allowed by CMMC to be active at the time of assessment.

Allowance of POAMs is currently to be determined by the assessor and the DoD, not the organization under review.  These POAMs, when granted, will require adherence to strict timelines.  The CMMC will also now, in some cases, allow waivers for requirements.