If you are part of a company in the Defense Industrial Base, you may have heard the term CMMC. This term is becoming more and more important for companies that want to contract work with the Department of Defense, and understanding what it means is crucial for your company’s future.
What Is CMMC?
CMMC is the Cybersecurity Maturity Model Certification program, originally introduced in 2019. The latest version, CMMC 2.0, is slated to go into effect by July 2023.
This certification program is designed to accredit contractors in the proper handling and protection of Controlled Unclassified Data in order to reduce cyber risks. The process will standardize cybersecurity standards and better secure CUI.
Who Must Acquire Certification?
Every contractor in the DIB will be required to certify as CMMC compliant in order to be eligible for DoD contracts. Different cybersecurity risks will be handled by endorsing three different CMMC Levels. Each Level has separate models and assessments that correlate to the expertise required to handle certain kinds of information and will determine what is CMMC compliance for each group.
What Are the CMMC 2.0 Levels?
CMMC 2.0 is comprised of three levels:
Level 1: Foundational
This level applies to companies that focus on FCI protection. It is based on the 17 practices of Basic Safeguarding of Covered Contractor Information. It limits access to only authorized users and protects covered contractor information systems.
Level 2: Advanced
Level 2 aligns with the National Institute of Technology and Standards designed to protect CUI. This level totally overlaps with NIST 800-171.
Level 3: Expert
Targeting companies working with the DoD’s highest priority programs, Level 3 focuses on mitigating risk from Advanced Persistent Threats. It appears that this level will have requirements based on or overlapping with NIST SP 800-171 and NIST SP 800-172 controls.
Who Will Determine CMMC Compliance?
CMMC compliance will be determined either by self-assessment or third-party certification.
For Level 1, contractors will be required to complete a self-assessment every year. For Level 2 certifications for critical national security information, triannual third-party assessments will be required. However, select Level 2 programs that do not involve critical national security information will be able to submit annual self-assessment instead, similar to Level 1.
Level 3 endorsements will require triannual, government-led assessments to remain compliant.
The CMMC 2.0 allows for a limited number of Plans of Action and Milestones to obtain a waiver. Similarly, when an assessment is due, a company can submit a POA&M instead of meeting non-critical security controls. The POA&Ms will be time-bound for 180 days, and these limits will be strictly enforced.
What Is the CMMC Timeline?
It appears that the date of the interim rule will be May 2023, with the goal of CMMC 2.0 being included in contracts as early as July 2023.
In addition, While a full rollout may take through 2026, companies in the DIB who are responsible for CUI should target compliance with the CMMC 2.0 Level 2 by July 2023 in order to be sure they remain contract-eligible.
Complying with CMMC 2.0 will better protect the US against cyberattacks and will help to keep our military, technology and commercial ventures safe.
For more information, visit whatsmind.com
