What is the CMMC?

In 2016, the United States Federal Government created FAR 52.204-21 to provide for Safeguarding of Covered Contractor Information Systems. In response to FAR 52.204-21 and as a measure of ensuring compliance, the Department of Defense (DoD) created and implemented the DFAR.252.204-7012 which mandated that any company holding Controlled Unclassified Information (CUI) that provides insight to government mission must have the necessary safeguards implemented to secure the CUI. These measures must be implemented utilizing NIST 800-171 guidance. DFAR.252.204-7012 mandates that companies supporting DoD’s missions must demonstrate due diligence to provide measures that protect CUIs. These companies are mandated to have a System Security Plan (SSP) and Plan of Action and Millstones (POAM) documentation that addresses information security vulnerability remediation and mitigation measures. Inherently, an organization must have a fully operational Information Security Program supporting a robust Cyber Security posture.

In 2020, the Cybersecurity Maturity Model Certification (CMMC) framework was launched to further enhance the protection of sensitive information relating to contractor services provide to the DoD. Sensitive information includes:

  • Federal Contract Information (FCI) – Information not intended for public release. It is provided by or generated for the government under a contract to develop or deliver a product or service to the Government.  FCI does not include information provided by the Government to the public.
  • Controlled Unclassified Information (CUI) – Information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Additional types of CUI data include:

  • Controlled Technical Information (CTI) – Technical information with military or space application that is subject to controls on its access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.

The CMMC 1.0  framework implemented a tiered approach to audit contractor compliance with NIST SP 800-171, based on five different levels of maturity expectations. The CMMC 1.0  included 17 capability domains, 43 capabilities, 5 processes across five levels to measure process maturity and 171 practices across five levels to measure technical capability.

On November 4, 2021, the Department of Defense announced a change in the strategic  direction of the CMMC program. The enhanced “CMMC 2.0” program updated the framework to a 3-tier model, aligned more closely to the NIST SP 800-171 and SP 800-172.

  • Level 1 – Foundational: Requires 17 practices. Level 1 will be required of all contractors doing business with the DoD, with select practices being documented where required. Appropriate for smaller contractors that only handle FCI and require an annual self-assessment.
  • Level 2 – Advanced: Requires 110 practices. Level 2 is a managed state where policies, procedures and infrastructure  has been put into place and maintained to cover all applicable controls required by the NIST SP 800-171. Appropriate for contractor with access to  CUI and requires a third-party certification audit by a CMMC-AB approved C3PAO every 3 years.
  • Level 3 – Expert: Requires 110+ practices. Level 3 requires the implementation of more advanced security practices based largely on the NIST 800-172. Appropriate for contractors of highly sensitive government programs and requires a government-led assessments every 3 years.

Are you ready for CMMC?

Get in touch to learn how our CMMC Managed Compliance Service can help