What is CMMC Compliance and Certification and Who Needs It?

Note - This article was updated in November 2022 from the original version to reflect changes made to the CMMC certification process as reflected by CMMC 2.0.

Cybersecurity has become a high-profile issue in today’s economy driven by digital-based commerce. With the advent of cloud computing, big data, and reliance on data transmission across the internet to empower e-commerce and provide for a high level of automation in transaction processing, the risks of data breaches and denials of service have grown substantially. Cyber-attacks are occurring with increased frequency, impacting both private industry and public organizations at all levels — from state and local governments to federal agencies. In most cases, these attacks seek to obtain sensitive information or data that can be used to demand a ransom from the victims. 

Well-known and highly publicized cyber-attacks on industry targets have impacted their operations, caused damage to their reputations in the eyes of their customers, and interrupted normal business operations as they struggle to recover. These cases have also spotlighted the need to prevent these attacks in the interest of national economic security. Malicious cyber activity cost, as shown by just a small sample of some of the most publicly known cases, has been estimated to be in the range of $1.3 - $1.5 billion₁. A report issued by the Council of Economic Advisers (CEA) in 20182 stated that “...malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.” 

In this article, we will provide a summary of the CMMC model, including what it is, what it means to become compliant, and how the certification process for CMMC works. We will also discuss the different CMMC levels that exist within the new CMMC framework and cover additional questions relating to each specific level so that companies within the defense industrial base can better understand what is needed to implement these cybersecurity practices and how to assess the cybersecurity maturity level that best applies to their particular situation. Additionally, we will provide a convenient checklist that can be used to help review the main cybersecurity controls and basic cyber hygiene that should be in place to protect against the risks from malicious cyber activity. 

To learn more about general cybersecurity methods for industry, a free e-book from Thomas entitled Cybersecurity Best Practices for Manufacturing is available for download in PDF format.

What is CMMC and Who Needs It?

CMMC stands for Cybersecurity Maturity Model Certification. Prior to its adoption, the US Department of Defense (DoD), in its dealings with its supply chain, relied on a system of self-assessment with respect to cybersecurity and the basic safeguarding requirements concerning the storage and handling of data. The National Institute of Standards and Technology (NIST) document SP 800-171 provides an essential methodology that all suppliers doing business with the DoD follow to perform internal evaluations. However, these self-reported assessments have little to no formal validation of the cybersecurity posture maintained by the individual suppliers. An additional complication results from the multi-tier supply chain used by the DoD, with layers of contractors and subcontractors handling different aspects of projects and supplying different products and materials. Without a more formal supplier performance risk system and verification mechanism in place, there is a substantial risk with respect to the handling of sensitive unclassified information. 

The threats posed by bad actors had prompted concerns within the DoD and led the Under Secretary of Defense to develop a more uniform set of guidelines and practices. The new system is intended to protect controlled unclassified information that is routinely shared between defense contractors and agencies responsible for supplying the equipment and services needed by the defense department in its mission to protect and defend national security from enemies around the globe. 

The Cybersecurity Maturity Model Certification is a unifying standard and new certification model that can be adopted by defense contractors and those organizations that perform or provide services under a DoD contract₂. It is important to note that these requirements are only applicable to a non federal system or non federal organization as mandated by a federal agency in a contract, grant, or other agreement.

Key Terminology and Definitions

Before diving into the specifics of the Cybersecurity Maturity Model Certification process, it will be useful to summarize several of the commonly used terms and acronyms associated with the CMMC program. This topic is dense with initialisms and acronyms, so it is useful to reference this section frequently. 

DIB

The Defense Industrial Base (DIB) sector is the global industrial network necessary for US military applications, including activities and suppliers used in R&D, military system development, design, production, delivery, maintenance, and more₃. In simple terms, the DIB sector provides essential products and services for military mobilization, deployment, and sustained operations. Companies within the DIB (known as DIB companies) include domestic and foreign businesses with assets located in global locations. The DIB sector is composed of:

• DoD components

• More than 100,000 DIB companies and their subcontractors who perform under contract to the DoD

• Companies providing incidental materials and services to the DoD 

• Government-owned/contractor-operated and government-owned/government-operated facilities. 

FAR 

The Federal Acquisition Regulation (FAR) is the regulation used by all executive agencies in acquiring supplies and services with funds issued and controlled by the DoD, General Services Administration (GSA), and NASA. 

DFARS

The Defense Federal Acquisition Regulation Supplement (DFARS) is an addition to the FAR that is specific to DoD based applications. It is a series of clauses in DoD contracts that outlines legal requirements, DoD-wide policies, delegations of FAR authorities, FAR requirement deviations, and policies and procedures that significantly affect the public₄. The DFARS clauses contain the cybersecurity requirements that must be addressed in contracts between a business entity and the US government or primary contractor. 

The DFARS Interim Rule

On September 29, 2020, the DoD released the DFARS interim rule, which went into effect on November 30, 2020. This interim rule created several new clauses, including: 

• DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements

• DFARS 252.204-7020: NIST SP 800-171 DoD Assessment Requirement

• DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements

These clauses will be added to any new or renewed contracts after the rule is codified. Note that the DoD will not be retroactively requiring the CMMC for contracts signed prior to the date the rule goes into effect. The interim rule also stipulates that all contractors comply with NIST SP 800-171 AND to quantify this compliance, submit this self-report to the Supplier Performance Risk System (SPRS), implement a System Security Plan (SSP), and build a timeline to full cybersecurity compliance prior to new contracts. This interim rule is (as of this writing) still being revised and approved. 

SSP 

System Security Plan (or SSP) is an aggregation of security information and documents that illustrates the security environment of an organization and its implemented safeguards. An SSP is regularly updated and refreshed to reflect the most up-to-date security posture of a business and is an integral part of the certification process for higher-priority contracts within the DIB. 

CUI

Controlled Unclassified Information (CUI) is defined by the DoD₅ as follows: 

• “Government-created or owned UNCLASSIFIED information that must be safeguarded from unauthorized disclosure.

• An overarching term representing many different categories, each authorized by one or more laws, regulations, or Government-wide policies.  

• Information requiring specific security measures indexed under one system across the Federal Government.”

 This is a broad definition that covers information across a range of categories, including:

• Critical Infrastructure

• Defense

• Export Control

• Financial

• Immigration

• Intelligence

• International Agreements

• Law Enforcement

• Legal

• Natural and Cultural Resources

• NATO

• Nuclear

• Privacy

• Procurement and Acquisition

• Proprietary Business Information

• Provisional

• Statistical

• Tax

It is normally the case that any contracts issued by the government will specifically define and designate the presence of CUI and as well as the required safeguards that should be in place for its protection. The requirements of NIST SP 800-171 are usually what is needed for the proper protection of CUI.

FCI

Federal Contract Information (FCI) as defined by FAR 52.204-21 represents₆ “...information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”

FCI could be considered a broader set of information than CUI. When compared with CUI, the safeguarding requirements for FCI are lower but still mandate protection from general release to the public. The protection of FCI is governed by the requirements found in FAR 52.204-21.

OSC

OSC stands for Organizations Seeking Certification and, therefore, within the context of the CMMC process, represents those companies, vendors, suppliers, or contractors that need to obtain maturity model certification (CMMC) to meet the requirements as laid out by the under secretary and plan to begin CMMC assessment.

C3PAO

A CMMC Third-Party Assessor Organization (C3PAO) is one that has been authorized to enter into a contract to deliver CMMC assessments and to work with or provide certified CMMC assessors who perform the assessment process for OSCs.

POAM

Plan of Action & Milestones (POAM, sometimes found as POA&M) as defined by NIST SP 800-115₇ as “ A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones for meeting the tasks, and scheduled milestone completion dates.” 

POAMs are key documents in security authorization and continuous monitoring activities that identifies a system’s known vulnerabilities and deficiencies and outlines the specific protocol that system teams must take to resolve issues. 

NIST SP 800-171

NIST SP 800-171 is defined as a NIST publication₈ “that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI).  Defense contractors must implement the recommended requirements contained in NIST SP 800-171 to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts, as required by DFARS clause 252.204-7012.” 

If a business entity is part of a DIB supply chain, NIST SP 800-171 implementation is required to secure sensitive and potentially dangerous information. 

What is the Cybersecurity Maturity Model (CMMC) Certification Process and How Does it Work?

The cybersecurity maturity model certification (or CMMC) process is a standardized approach to securing the DIB sector from breaches and cyberattacks. The original CMMC 1.0 process was updated in September 2020 with the DFARS interim rule in the Federal Register (DFARS Case 2019-D041), and its clauses were put into practice in November of that same year.

In light of public polling and initial responses to the DFARS interim rule, the DoD refined its policies on cybersecurity and announced a new formal CMMC 2.0 program structure in November of 2021, effective early-to-mid 2023₉. 

Note that, at the time of this update (November 2022) CMMC 2.0 is still in the rulemaking and approval process, and the below information is subject to change until its scheduled release date of early-to-mid 2023. OSCs are currently working towards the protocol outlined in this preliminary CMMC 2.0 model so that they may receive certification as it is finalized, but they will have to revise their eligibility requirements if/as these rules are edited and codified in the coming years. 

CMMC 1.0 VS CMMC 2.0– What Has Changed?

The DoD is making key changes to the CMMC model from its initial rollout. The justification for making revisions is based on industry feedback and the desire to enhance security around FCI and CUI within the DIB₉. Below is a global summary of changes and the reasoning for these updates: 

Figure 1 is a graphic version of these changes in comparison to the structure of CMMC model 1.0. 

Figure 1 - Global Changes From CMMC Model 1.0 and CMMC Model 2.0
Image credit: www.acq.osd.mil

Generally speaking, the revision reduced the complexity of the certification process from 5 to 3 levels, significantly reduced the number of requirements for each, and has better-aligned requirements to widely accepted NIST SP 800-171 and -172 standards. We will explore the differences in finer detail in the following sections, but the overall thesis for the change from model 1.0 to 2.0 is to make the CMMC process simpler, safer, and more rigorous in implementation. Again note that the information in this diagram is notional up until rules are revised and approved.

CMMC Levels

Prior to the changes to the certification process, CMMC 1.0 had a five-level hierarchy of cybersecurity readiness/compliance and 17 domains or categories in which cybersecurity practices and standards must be applied in order to achieve the appropriate CMMC level. This structure has been streamlined to a three-level hierarchy and 14 cybersecurity domains or “families”, and the requirements of each level have also been updated. 

Each level consists of an increased emphasis on cyber hygiene and more aggressive management of continuing threats, where: 

• Level 1 (or the foundational level, aligns with CMMC 1.0 level 1) is required for companies only using FCI and information not critical to national security

• Level 2 (or the advanced level, which aligns with CMMC 1.0 level 3) is required for companies involved with CUI

• Level 3 (or the expert level, which aligns with CMMC 1.0 level 5) is required for high-priority CUI programs most critical to national security.

Figure 2 below provides a graphical representation of the various CMMC levels.

Figure 2 - The 3 CMMC Levels and What They Represent
Image credit: www.acq.osd.mil

The specific cybersecurity requirements needed to achieve compliance increase as the levels move up, with each level increasing the frequency of assessments and requiring the authorization of third-party auditors such as C3PAOs and governmental officials. Note that the specific number of requirements is still in flux, and this is the reason why Figure 2 may not perfectly align with other diagrams with varying amounts of requirements for each level. 

Level 1 consists of 15 safeguard controls referenced from FAR 52.204-21 and only requires annual DIB self-assessments. 

Level 2 consists of 110 controls or requirements aligned with NIST SP 800-171 (and originating from DFARS 252.204-7012) and may require self-assessments or third-party assessments depending on the information class:

• Prioritized acquisitions require triennial third-party verification from a C3PAO, all BEFORE being awarded the contract, along with annual submissions of senior official affirmations to the SPRS

• Non-prioritized acquisitions require triennial CMMC Level 2 self-assessments and annual submissions of senior official affirmations to the SPRS for select programs

Level 3 consists of 110+ controls or requirements originating from NIST SP 800-171 and -172 and is triennially assessed by formal government officials (along with annual affirmations to the SPRS).

This change allows small and medium businesses not working with CUIs to still achieve certification without having to perform the lengthy third-party auditing process while also improving the compliance of high-risk companies handling CUI relevant to national security.

CMMC Domains/Families

A “domain” is a distinct group of security practices with similar attributes and represents the vital areas to protect FCI and CUI in the DIB. The CMMC framework includes a total of 14 domains or “families” that cover specific security areas that originate from the Federal Information Processing Standards (FIPS) Publication 200 and other standards such as NIST SP 800-171.  This is a revision from CMMC 1.0, where there were 17 domains (i.e., three previous domains were subsumed into other domains or entirely cut). 

Figure 4 below illustrates the domains and their standard 2-character codes.

Domain Security Requirements

Each domain has security requirements outlined in NIST SP 800-171 and -172 that directly correlate to the CMMC levels that work with CUI (levels 2 and 3). Performing, documenting, and proving that these requirements are met are of chief importance when obtaining cybersecurity certification and can be formed into checklists so that companies can determine if they are eligible for CMMC when self-reporting. 

This change is one of the most noticeable differences from CMMC 1.0, where there were fewer requirements that were not necessarily outlined by the NIST protocol. The updates require more information and security measures from an OSC, increasing their preparedness while also reducing the unnecessary complexity of the CMMC process. To see the full checklist of security requirements, see our condensed checklist in our spreadsheet here or reference chapter three in both the NIST SP 800-171 and NIST SP 800-172 publications. 

What is The Cyber AB, and What Do They Do?

The CMMC assessment process is under the control of an independent body that was established by the DoD under “no cost” contract (meaning the contract stipulates no funding from the DoD, other governmental bodies, or taxpayer resources). Known as The Cyber AB (formerly the CMMC Accreditation Body, or CMMC-AB), this group is responsible for building, accrediting, certifying, and managing the CMMC ecosystem on behalf of the DoD₁₀. 

This contract establishes The Cyber AB as the sole authority to perform licensing and certification for organizations that have the desire to become certified CMMC assessors and perform CMMC assessments. Effectively, this accreditation body is tasked with training any C3PAOs or other CMMC assessors and maintaining the current models and assessment guides for the process. The Cyber AB approves all Certified CMMC Professionals (CCPs), Certified CMMC Assessors (CCAs), and Registered Practitioners (RPs) that will assist C3PAOs in the assessment of OSCs. 

This responsibility is planned to eventually be spun out from The Cyber AB into the Cybersecurity Assessor and Instructor Certification Organization (CAICO), which will become a separate legal entity as CMMC becomes more mainstream.

What Does the CMMC Certification Process Entail?

OSCs must prepare for the formal release of CMMC 2.0 in advance of the proposed 2023 rollout. To ensure good standing, many are performing a review of their readiness against outlined practices that are used in the evaluation process (those outlined in NIST SP 800-171). The DoD will assess the implementation of NIST SP 800-171 and/or -172 practices (as outlined in DFARS 252.204-7020 and DFARS 252.204-7021), and the results of these assessments will decide if the OSC obtains certification, where the DoD Assessment score is submitted to the SPRS system for final validation. 

Being issued CMMC certificates based on the successful completion of the process will necessitate investment and commitment to managing information flow, controlling access, and training personnel to enhance awareness of the risk of breaches in cybersecurity and the aggregate loss that can be incurred. Below are some general guidelines that should be noted. 

Guidance for Doing Business with the Defense Department

• The DoD will specify the required level of CMMC certification needed for a contract within the RFIs and RFPs that are issued, which will establish the target level to seek. 

• Assessments are made to the unclassified networks that OSCs have, which store FCI and CUI.

• A phased rollout plan of CMMC is planned, but the expectation is that certification will be mandatory for all organizations that do business with the DoD as the rule is finalized.

• There is an exception for certification for those suppliers that only sell COTS (Commercial-Off-The-Shelf) equipment.

• Once certified, the certificates are valid for a period of three (3) years. However, the Cyber AB or the government may require recertification if, for example, a security breach occurs and there is a failure to comply with recommended updates to the software in a timely manner.

• You should begin to prepare for assessment at least 6-months in advance of when you desire certification. This will allow you time to self-assess your readiness and correct any deficiencies in advance.

Even for those businesses that are not currently certified and have no immediate plans to get certified as they are not within the Defense Industrial Base Sector, there is still value in understanding the guidelines and practices that the CMMC model offers. As these practices become more ingrained, they will tend to flow down to other non-DoD-related and commercial business contracts, so awareness of these best practices is an important component of overall cybersecurity. 

Steps for Getting CMMC Certified

As the interim rules are revised and codified, the path toward certification is changing. However, meeting the widely accepted standards outlined in DFARS and NIST protocols will at least guarantee eligibility for certification, so below are some steps to ensure compliance with these documents in preparation for the  CMMC 2.0 release in 2023:

1. Determine which level of CMMC compliance fits your business (i.e., do you work with FCI, low-priority CUI, or high-priority CUI?). More specifically, determine which aspects/departments of the business manage FCI and CUI and measure the flow of this information through the business, as only these parts must be compliant with CMMC protocol (making all departments NIST compliant is difficult, to say the least).

2. Perform a self-assessment of your cybersecurity practices and readiness using a NIST SP 800-171 Basic Assessment (this is standard procedure for all DIB companies) . You may want to engage an approved consulting company to assist with this. Visit the marketplace at https://cyberab.org/  to look for available RPOs and RPs that can assist with this effort. Then submit this basic assessment to the SPRS as per the DFARS interim rule. 

3. Ensure all DFARS clauses are satisfied (7012, 7019, 7020, 7021), and if not, identify where gaps exist and remediate these vulnerabilities. 

4. Create an SSP (required for all levels, but only submitted for certification for levels 2 and 3).

5. Schedule an appointment with a C3PAO from the Cyber AB (level 2 only) using the marketplace resources on https://cyberab.org/ or a government official (level 3 only) through the relevant portal. They will evaluate your readiness for certification and, if not totally compliant, will allow time-restricted POAMs or waivers (in limited circumstances).

6. Address any deficiencies noted during the assessment process within 45 days to avoid needing a full reassessment.

7. Receive full certification to the desired level, remain compliant for the duration of the certification (3 years), and then reapply.

8. Continue to actively monitor and address ongoing threats and commit to periodic training of personnel as outlined in the above documents and controls.

Summary

In this article, we provided information on the DoD CMMC Compliance process and the underlying framework for that model. To learn more about cybersecurity, download Thomas’ free cybersecurity e-book or listen to their recent webinar on cybersecurity best practices.

Sources:

1. CEA Report: The Cost of Malicious Cyber Activity to the U.S. Economy

2. Cybersecurity Maturity Model Certification (CMMC)

3. Defense Industrial Base Sector | CISA

4. DFARS | Acquisition.GOV

5. DoD CUI Registry

6. 52.204-21 Basic Safeguarding of Covered Contractor Information Systems

7. POA&M - Glossary | CSRC

8. What Is the NIST SP 800-171 and Who Needs to Follow It?

9. Strategic Direction for Cybersecurity Maturity Model Certification (CMMC) Program > U.S. Department of Defense > Release

10. CMMC Accreditation Body

11. Cybersecurity Best Practices for Manufacturing

12. Supplier Performance Risk System

13. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

14. Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-

15. Federal Register/Vol. 85, No. 189/Tuesday, September 29, 2020/Rules and Regulations

16. CMMC-2.0-Overview-2021-12-03.pdf

Other Cybersecurity Articles

• Best VPN Software For Business
• Cybersecurity Best Practices for Manufacturing: The Real Threat of Cyber Attacks
• Cybersecurity Best Practices for Manufacturing: Cybersecurity Overview
• Cybersecurity Best Practices for Manufacturing: Best Practices & The Ultimate Checklist for Protecting Your Business
• Cybersecurity Best Practices for Manufacturing: Cybersecurity for Embedded Devices and Systems
• Cybersecurity Best Practices for Manufacturing: Cyber Insurance

More from Services