CMMC is a certification that will be required for every firm that does business with the Department of Defense (DoD). It was announced during 2019 and it is expected to be seen in RFIs starting in June 2020.
Levels of certification range from 1-5, with 5 being the most sophisticated/advanced. It is expected that other federal agencies will follow the lead of the DoD, so any organization that does business with the federal government should start this planning process. The standards recommended by CMMC are also just good business practice!
The current draft of the CMMC is v0.7, and is out for public comment. The final version is due to be released this month (January 2020), so stay tuned for updates.
Why is the government doing this?
CMMC is a program to assess and enhance the cybersecurity posture of the U.S. Defense Industrial Base (DIB). The DIB includes all firms, domestic and international, that perform work for the DoD and other Federal agencies that support military operations. It sets standards, processes and a verification mechanism to protect controlled unclassified information (CUI) that resides on DoD’s industry partners’ networks. CMMC combines various standards that include CFR 52.204-21, DFARS 252.204-7012, NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified set of criteria for cybersecurity. Past programs required only self-attested compliance, so were by nature not as stringent. CMMC will include third party commercial certification organizations (C3PAOs) with a single non-profit entity that will certify these firms.
CMMC also sets varying levels of cybersecurity maturity (1-5), so it can be adopted for varying contract needs as well as vendor size.
So what should you be doing now to prepare?
Our advice is to familiarize yourself with CMMC (CMMC Draft 0.7) and review your systems that hold Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) against the Domains, Capabilities, and Practices defined in the available version of CMMC. This FAQ page is a good source of information. Fill out the form below and we’ll follow back with more information and ongoing updates about CMMC.
CMMC Model Framework:
- Domains – key sets of capabilities for cybersecurity
- Capabilities – Achievements to ensure cybersecurity within each domain
- Practices & Processes – Activities required by level to achieve a capability
|CMMC Level 1||Basic Cybersecurity||Practices are ad hoc|
|CMMC Level 2||Universally accepted cybersecurity best practices||Practices are documented|
|CMMC Level 3||Coverage of all NIST SP 800-171 rev 1 controls||Processes are guided by policy, maintained and followed|
|CMMC Level 4||Advanced and sophisticated cybersecurity practices||Practices are periodically evaluated and revised|
|CMMC Level 5||Highly advanced cybersecurity practices||Practices are continuously improved and shared across the enterprise|