About the CMMC

Cybersecurity Maturity Model Certification (CMMC)

On January 31, 2020, the Department of Defense released version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework which will affect the over 300,000 DoD contractors and subcontractors who provide products and services to the DoD.

Unlike prior requirements, the CMMC will require a third party certification of compliance. Our CMMC assessment tools help DoD contractors and their subcontractors prepare to pass their audit on the first try.

If you are a DoD Prime, Subcontractor, Compliance Consultant or Auditor, our platform allows you to cut costs, save time and reduce the risk in our nation’s supply chain.
Click here to request a demonstration now.

Are you a small or mid-size business and want a FREE Level 1 assessment to see how your current practices stack up against Level 1 requirements?
Click here for the Ultimate Guide to CMMC with FREE access to our Level 1 Assessment.

About the CMMC

First – some background.

High profile hacks, breaches, and security leaks have made cybersecurity a top priority for our nation’s supply chain, and the CMMC was created to combat advanced persistent threats (APTs) from increasingly sophisticated actors. These stakes could not be higher than they are for members of the defense industrial base (DIB – aka DoD contractors), where security vulnerabilities aren’t just an organizational threat; they may compromise our national security. In response to these threats, the DoD has issued the CMMC.

So what is the CMMC?

The CMMC is a certification process that measures a DoD contractor’s ability to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Unlike previous models, DoD contractors cannot self-certify their compliance with the CMMC. Instead, DoD contractors and their subcontractors will need to pass a CMMC audit conducted by an independent third-party before they can bid on new contracts.

What does the CMMC require and is it retroactive?

Version 1.0 of the CMMC requires DOD contractors to obtain a cybersecurity rating from Level 1 through Level 5 which will measure maturity levels covering 17 domain areas. Level 1 certification will involve 17 practices considered to be basic cyber hygiene such as ensuring the use of antivirus software and regularly updating passwords, up through Level 5 which will cover 171 practices as well as accompanying capabilities and processes. Each level will build on the previous one, adding more cybersecurity capabilities, practices and processes for contractors to follow.

Source: https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf

Note, though, that Level 3 will be roughly equivalent to the National Institute of Standards and Technology's (NIST) existing Special Publication 800-171, meant to protect sensitive CUI, while Levels 4 and 5 will add further "proactive" and advanced cybersecurity practices.

The objective is for contractors to identify the CMMC level required for a contract in RFP sections L and M and use that as “qualification to bid” criteria in the bid process. This provides the DoD with assurance that a DoD contractor and, as applicable, its subcontractors can adequately protect FCI and CUI at a level matching the risk associated with a given project.

The requirements will not be retroactive to current contracts.

How will this apply to subcontractors?

The CMMC applies to DoD subcontractors. However, according to Katie Arrington, the DOD's special assistant for cybersecurity, the level requirement that applies to a prime contractor won't necessarily apply to a subcontractor working on the same contract. Instead, it will depend on that subcontractor's role and the information it needs from the prime contractor. Defense contractors and subcontractors at all levels of the supply chain will need a certification as the DoD has stated that U.S. adversaries often seek to target lower-tier suppliers rather than more sophisticated prime contractors, making compliance at all links in the supply chain necessary.

Explain the third party certification requirement and how long are the certifications good for?
Third party CMMC verification is required and, according to the DoD, will last for three years. Third party assessors have not been chosen yet, but the accreditation body that will oversee the training and administration of the assessors has recently named its board of directors. As of now, the DoD and the accreditation body are working to clearly outline each side's responsibilities.

Want to learn more about CMMC?
Download The Ultimate Guide to the Cybersecurity Maturity Model Certification (CMMC) for DoD Contractors.