If your organization is a government contractor or subcontractor, you’ve likely been tracking the progress of CMMC over the past several years. Or maybe you have no idea what the acronym means and what you need to know.
Whether you do business with the government or not, CMMC provides an important cybersecurity framework for any business. I've got you covered and will tell you everything you need to know.
In this article we’ll explore the latest developments with CMMC 2.0 so that you know where things stand and what to expect. We’ll explain everything from the kinds of information governed by CMMC to a full definition of the acronym. We’ll fill you in on the latest developments and let you know what they mean for you.
What Is CMMC?
The Department of Defense began work on its Cybersecurity Maturity Model Certification (CMMC) Program in 2019 to provide enhanced protection for information shared within the U.S. Defense Industrial Base (DIB).
Based on the framework for protecting information currently outlined in NIST 800-171, CMMC expands the application of the security requirements for certain priority programs to further help non-government organizations mitigate threats posed by adversaries with sophisticated levels of expertise and significant resources.
It also provides a mechanism for the DoD to verify that defense contractors and subcontractors have implemented the security requirements at each CMMC Level and are maintaining that level of security across the contract period.
Over the years, the CMMC program and its requirements have undergone several iterations. Visit the DoD to see how it has evolved and what the latest model looks like.
What Is The Goal of CMMC Compliance?
The goal of CMMC compliance is to ensure that government contractors and subcontractors safeguard sensitive information that is NOT designated confidential, secret or top secret and is used to produce the parts, systems, and components needed for national defense.
This information, known as controlled unclassified information (CUI) and federal contract information (FCI), is often shared within the U.S. DIB and would be beneficial to other governments and regimes, which is why it needs to be secured.
What Are CUI and FCI?
Both CUI and FCI include information created or collected by or for the U.S. Government, as well as information received from the Government.
Here are the DOD definitions of each type of information:
FCI
"...information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government."
FCI does not include "information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments."
CUI
"...information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
Specific CUI categories and subcategories can be accessed through the National Archives and DoD websites.
If you aren’t sure which types of information your organization handles, ask your government liaison. Better to be safe than sorry.
Why Is CMMC Important?
CMMC is important because it helps ensure that important information is protected from cyber threats.
Although this information isn’t classified or otherwise restricted, it could be used in ways that would be detrimental to national security. Validating the existence and effectiveness of basic cyber hygiene techniques within the supplier and partner networks of the DIB will ensure a level of protection.
What’s The Latest?
In the final days of 2023, the U.S. Department of Defense (DoD) published its proposed rule codifying the CMMC program. The ruling is now available for review and comment along with eight CMMC guidance documents and several new information collections.
According to the DoD, the new ruling establishes the CMMC Program and defines general requirements as wells as those required at specific CMMC levels. It also identifies the assessments required by its contracts and applicable subcontracts. Each of the three CMMC levels and assessment types are described in the proposed program rule.
When the CMMC Program rule is finalized, solicitations for defense contracts that involve the processing, storage, or transmission of FCI or CUI on a non-Federal system will (in most cases) be assigned a CMMC level and assessment type contractors must meet to be eligible for a contract award.
CMMC 2.0 is expected to be implemented in four phases over a three-year period.
Who Does CMMC Affect?
Organizations that work on government contracts or subcontracts and handle either CUI or FCI will be required to comply with CMMC 2.0, in much the same way they are currently required to follow the NIST 800-171 framework.
How Is CMMC Different From NIST 800-171?
Modeled on the NIST 800-171 framework, the CMMC 2.0 model has three certification levels and various assessment and affirmation requirements.
Level 1 (basic)
Total requirements identified: 17
Annual self-assessment and affirmation only
Level 2 (intermediate)
Total requirements identified: 110
Third-party assessment every three years, affirmation annually
Level 3 (advanced)
The specific controls and assessment procedures for Level 3 are yet to be defined.
The level of CMMC certification required by a contract will depend on the types of information the contractor or subcontractor accesses and possesses.
Where Do You Go From Here?
You now have a comprehensive understanding of CMMC 2.0. You understand what it is, the goal, the types of information it is designed to protect, why it's important, the latest developments, who is affected, and how it differs from NIST 800-171.
If you have other questions that haven't been answered here, check out the DOD's list of frequently asked questions.
Keep an eye out for updates as things may change. We’ll keep you posted on new developments.
Although CMMC is required for organizations that do business with the government, I encourage all business leaders to use the requirements as a framework to ensure that your business has the protections it needs to prevent cyber incidents.
Just as adding layers of security protects your home and makes it less likely you will be an easy target, every added layer of cybersecurity makes it harder for criminals to breach.
Related article: The Best Cybersecurity Tools To Protect Data & Infrastructure
I say it all the time, but it bears repeating: cybersecurity is not a “set it and forget it” proposition. The threats continue to change and the sooner you take action to protect your data and infrastructure the better. Prepare now and stay aware of emerging threats.
Whether you have in-house resources that can take a leadership role in preparing for compliance to the CMMC 2.0 framework or need to lean on external resources for help; prepare now. It will take time to get the security tools you need in place.
And, the sooner you are protected, the safer your business and data. You will be better for it in the long run.
Not sure where to start with CMMC 2.0? Click on the banner below and download the checklist to learn 5 actions you can take today to prepare to meet the CMMC 2.0 requirements.
