CMMC – Overview

July 26, 2020

Past is Future

Cybersecurity Maturity Model Certification, abbreviated as “CMMC” is a new standard promulgated by US Department of Defense Office of the Under Secretary of Defense forAcquisition & Sustainment. Note that this is not a security focused organization. The author for this was actually Software Engineering Institute . The Software Engineering Institute is part of Carnegie Mellon University, which does a lot of “think-tank” and support work for DoD. Notably, SEI developed the Capability Maturity Model Integration (CMMI). You may wish to review derivatives like CMMI-ACQ (for acquisition) or CMMI-SVC (for services). These are widely accepted or promoted in DoD, Defense industries and aerospace.

Previous standards were directed at US Government (USG) agencies and prescribed controls for systems which they operated (i.e. NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations”, see https://csrc.nist.gov/publications/). However, the USG realized that there was no standard for USG contractors operating systems storing, processing, and transmitting USG Controlled Unclassified Information (CUI). The CUI standard and related CUI Registry is managed by US Archives (https://www.archives.gov/cui/registry/policy-guidance). As a result, NIST SP 800-53 controls were adapted, which resulted in NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”.

CMMC is managed by the CMMC Accreditation Body (CMMC-AB) (https://www.cmmcab.org/), which provides guidance as well as oversight. CMMC-AB is tasked to manage Assessor Certification, Third Party Assessor Organization (3PAO) Registration, and Training. The CMMC-AB is responsible for training and certifying third party assessment organizations (C-3PAOs), which conduct a cybersecurity assessment of DOD contractors. DOD expects the CMMC-AB to set up a marketplace of C-3PAOs on its website later in 2020. Companies will be able to use the marketplace to obtain information on the various C-3PAOs and schedule an assessment for a needed certification level.

For a contractor’s IT Infrastructure to become CMMC certified, that contractor must work with CMMC- approved assessors. CMMC-AB has not specified an assessment method. We believe that SP 800-171A is the obvious starting point. However, 800-171A does not completely address Policy and Practice requirements of CMMC Level 2 and Level 3.

Timing for Certification Requirement

By end of Fiscal Year 2026, CMMC certification will be a requirement for any company doing business with DOD, either as a prime contractor or a lower-tier subcontractor. DOD will work with agencies to identify pilot programs that will initially implement CMMC requirements, and a complete rollout will occur during FY 2021 to 25, with all DOD contracts incorporating the requirements by FY 2026.

DOD’s phased rollout gives industry a bit of a reprieve; however, all DOD contractors and subcontractors must still begin preparations for the CMMC as DOD puts the ecosystem in place. DOD intends to implement the CMMC requirements using a mix of Levels 1 to 5, explained below. The required CMMC level will be found in sections L & M of future DOD Request for Proposals (RFP), and the DOD agency will have the discretion to specify the certification level required at award.

The Five CMMC Framework Levels

The CMMC framework measures cybersecurity maturity with five levels and aligns a set of processes and practices with the type and sensitivity of information to be protected. The levels are commensurate with the type and sensitivity of information to be protected and are categorized as follows:

Level 1: Safeguard Federal Contract Information (FCI). This level focuses on protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21.
Level 2: Serve as transition step in the cybersecurity maturity progression to protect CUI (Basic Safeguarding of Covered Contractor Information Systems). This level focuses on the establishment of policies and procedures to achieve CMMC Level requirements.
Level 3: Protect Controlled Unclassified Information (CUI). This level focuses on establishing and maintaining plans for CMMC practices. In addition, contractors must implement all the security requirements stipulated in NIST SP 800-171 and DFARS 252.204-7012.
Level 4-5: The level focuses on Protect CUI and reduce risk of Advanced Persistent Threats (APTs).