The Cybersecurity Maturity Model Certification (CMMC) program is a Department of Defense initiative designed to ensure the protection of unclassified information shared between Defense Industrial Base contractors and subcontractors. CMMC 2.0 introduces enhancements to improve cybersecurity standards, third-party assessments, and the overall resilience of the cyber landscape, fostering public trust in the program.
CMMC Overview
The Department of Defense developed CMMC to address the need for enhanced cybersecurity measures in the Defense Industrial Base, safeguarding sensitive information crucial to national security. It provides accurate interpretation of cybersecurity policies, requirements, and regulations while emphasizing high priority organizational expectations and qualified ethical standards in the assessment environment.
Compliance Requirements
All Defense Industrial Base contractors are required to conduct annual assessments to ensure compliance with cybersecurity requirements. The level of protection required depends on the sensitivity of the information handled:
- Self assessments are necessary for companies handling federal contract information (FCI) and a subset of companies responsible for protecting controlled unclassified information (CUI).
- Third-party assessments and government assessments are mandated based on the type and sensitivity of the information handled.
- For information critical to national security, assessments must be obtained through accredited CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO).
Non-compliance with CMMC certification results in the inability to conduct business with the US government, although fines are not imposed.
Breakdown of CMMC 2.0 Levels
CMMC 2.0 adopts a tiered approach to information security, with different levels of protection based on the sensitivity of the data:
- Level 1 (Foundational): This level pertains to organizations handling FCI and includes 17 practices aimed at protecting contractor information systems and limiting access to authorized users. Self-assessments are permitted for compliance demonstration.These controls can be found in FAR 52.204-21.
- Level 2 (Advanced): Organizations working with Controlled Unclassified Information (CUI) adhere to NIST SP 800-171 standards, encompassing 14 families and 110 security controls. CMMC accredited third-party assessments are required for organizations handling information critical to national security, while self-assessments demonstrating compliance are acceptable for others.
- Level 3 (Expert): Designed for companies involved in DoD's highest priority programs with CUI, this level focuses on reducing risks associated with Advanced Persistent Threats (APTs). Requirements align with NIST SP 800-171 and NIST SP 800-172, and they may evolve based on advancements and changes.
Transition from CMMC 1.0 to 2.0
The transition from CMMC Model 1.0 to CMMC Model 2.0 introduces significant improvements. Key changes include a streamlined model that emphasizes critical requirements, expanded availability of self-assessments for level 1 and select level 2 companies, reducing assessment costs, and enhanced flexibility in implementation. Refer to the transition table for further details on these changes.
CMMC 2.0 strengthens cybersecurity practices for Defense Industrial Base contractors, promoting secure information sharing and ensuring compliance with DoD requirements. By implementing the tiered approach and continuous assessments, organizations can enhance their cybersecurity posture and contribute to the overall resilience of the defense ecosystem.