In 2016, the United States Federal Government created FAR 52.204-21 to provide for Safeguarding of Covered Contractor Information Systems. In response to FAR 52.204-21 and as a measure of ensuring compliance, the Department of Defense (DoD) created and implemented the DFAR.252.204-7012 which mandated that any company holding Controlled Unclassified Information (CUI) that provides insight to government mission must have the necessary safeguards implemented to secure the CUI. These measures must be implemented utilizing NIST 800-171 guidance. DFAR.252.204-7012 mandates that companies supporting DoD’s missions must demonstrate due diligence to provide measures that protect CUIs. These companies are mandated to have a System Security Plan (SSP) and Plan of Action and Millstones (POAM) documentation that addresses information security vulnerability remediation and mitigation measures. Inherently, an organization must have a fully operational Information Security Program supporting a robust Cyber Security posture.
In 2020, the Cybersecurity Maturity Model Certification (CMMC) framework was launched to further enhance the protection of sensitive information relating to contractor services provide to the DoD. Sensitive information includes:
- Federal Contract Information (FCI) – Information not intended for public release. It is provided by or generated for the government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public.
- Controlled Unclassified Information (CUI) – Information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
Additional types of CUI data include:
- Controlled Technical Information (CTI) – Technical information with military or space application that is subject to controls on its access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
The CMMC 1.0 framework implemented a tiered approach to audit contractor compliance with NIST SP 800-171, based on five different levels of maturity expectations. The CMMC 1.0 included 17 capability domains, 43 capabilities, 5 processes across five levels to measure process maturity and 171 practices across five levels to measure technical capability.
On November 4, 2021, the Department of Defense announced a change in the strategic direction of the CMMC program. The enhanced “CMMC 2.0” program updated the framework to a 3-tier model, aligned more closely to the NIST SP 800-171 and SP 800-172.