What is the CMMC?

In 2016, the United States Federal Government created FAR 52.204-21 to provide for Safeguarding of Covered Contractor Information Systems. In response to FAR 52.204-21 and as a measure of ensuring compliance, the Department of Defense (DoD) created and implemented the DFAR.252.204-7012 which mandated that any company holding Controlled Unclassified Information (CUI) that provides insight to government mission must have the necessary safeguards implemented to secure the CUI. These measures must be implemented utilizing NIST 800-171 guidance. DFAR.252.204-7012 mandates that companies supporting DoD’s missions must demonstrate due diligence to provide measures that protect CUIs. These companies are mandated to have a System Security Plan (SSP) and Plan of Action and Millstones (POAM) documentation that addresses information security vulnerability remediation and mitigation measures. Inherently, an organization must have a fully operational Information Security Program supporting a robust Cyber Security posture.

In 2020, the Cybersecurity Maturity Model Certification (CMMC) framework was launched to further enhance the protection of sensitive information relating to contractor services provide to the DoD. Sensitive information includes:

  • Federal Contract Information (FCI) – Information not intended for public release. It is provided by or generated for the government under a contract to develop or deliver a product or service to the Government.  FCI does not include information provided by the Government to the public.
  • Controlled Unclassified Information (CUI) – Information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Additional types of CUI data include:

  • Controlled Technical Information (CTI) – Technical information with military or space application that is subject to controls on its access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.

The CMMC framework implements a tiered approach to audit contractor compliance with NIST SP 800-171, based on five different levels of maturity expectations. The CMMC includes 17 capability domains, 43 capabilities, 5 processes across five levels to measure process maturity and 171 practices across five levels to measure technical capability.

  • Level 1 – Basic Cyber Hygiene: Requires 17 controls. Level 1 will likely be required of all contractors doing business with the DoD, with select practices being documented where required. Appropriate for smaller contractors that only handle FCI.
  • Level 2 – Intermediate Cyber Hygiene: Requires 72 controls. Level 2 is designed to be a bridge to Level 3 compliance, where contractors get into the practice of documenting each practice involving CUI.
  • Level 3 – Good Cyber Hygiene: Requires 130 controls. Level 3 is a managed state where a policy has been put into place and maintained to cover all activities, with all CUI practices documented.
  • Level 4 – Proactive Cybersecurity: Requires 156 controls. Level 4 requires the implementation of more advanced security practices based largely on the NIST 800-171B, where activities are reviewed and measured for effectiveness.
  • Level 5 – Advanced/Progressive Cybersecurity: Requires 171 controls. Level 5 is the optimized state requiring highly advanced cybersecurity practices with a tested, standardized, and documented approach seen across all applicable organizational units.

Are you ready for CMMC?

Get in touch to learn how our CMMC Managed Compliance Service can help