Last Updated on September 1, 2023
Cybersecurity and protection of controlled unclassified information (CUI) is a critical US Department of Defense (DoD) priority. To address longstanding security shortcomings and better enforce compliance across its supply chain, the DoD developed the Cybersecurity Maturity Model Certification (CMMC) 2.0 program and assessment standard.
CMMC enforces the protection of CUI that the DoD shares with its prime contractors and subcontractors. Its intent is to increase DoD’s assurance that its suppliers’ information security controls and processes meet applicable standards and can adequately protect CUI.
3 main CMMC features
The CMMC 2.0 program has three main features:
- A three-tiered model (CMMC Levels 1 through 3) that aligns security requirements with the type and sensitivity of the data an organization handles
- A requirement that contractors allow the DoD or its representatives to verify their self-reported compliance with CMMC security controls
- Implementation through the Defense Federal Acquisition Regulations Supplement (DFARS) 7012 clause and/or other DFARS clauses in certain DoD contracts
CMMC rollout timeline
The DoD recently completed its part of the CMMC rulemaking process. The draft rules are now with the Office of Management and Budget (OMB) for finalization, which may include one more opportunity for public comments.
Once CMMC rulemaking is complete and the program is fully implemented, DoD will require its suppliers that handle CUI or Federal Contract Information (FCI) to achieve a specific CMMC level as a condition of contract award. As of now, CMMC requirements could begin showing up in DoD contracts as soon as January 2024, and probably not later than October 2024.
What companies must achieve CMMC 2.0 certification?
CMMC 2.0 will be phased in over a three-year period. Eventually all suppliers doing business with the DoD will need a certification at the appropriate CMMC level, except those providing only commercial off-the-shelf (COTS) products. Initial contract award, continuance or renewal will depend on CMMC compliance, either self-attested or independently assessed.
The CMMC security controls are based on the NIST 800-171 security standard, which is currently undergoing a revision from Rev. 2 to Rev. 3:
- Companies that handle only FCI and not CUI will need a CMMC Level 1 (Foundational) certification based on 17 controls from NIST 800-171 and validated by an annual self-assessment.
- Organizations that handle CUI will need a CMMC Level 2 (Advanced) certification, which corresponds to the full set of NIST 800-171 controls. CMMC Level 2 certification will require a third-party (C3PAO) assessment every three years.
- CMMC Level 3 (Expert), still under development, aims to protect the most sensitive forms of CUI from advanced persistent threats (APTs). It will be based on NIST 800-171 plus a subset of the requirements defined in NIST 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. A CMMC Level 3 certification will require an assessment every three years, possibly by a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC ) audit.
How will CMMC impact my company?
Depending on your current degree of conformance to NIST 800-171, CMMC could have a significant impact on your company’s security posture, cybersecurity risk management process, and ability to validate to customers and other stakeholders that you can keep sensitive data secure. Ramping up security controls to achieve CMMC compliance could require significant time, planning, and resources for companies with a large “delta” between current and compliant security states.
Among the biggest challenges for some companies that handle CUI will be third-party assessments to verify CMMC Level 2 compliance. Many organizations will choose to work with a Registered Provider Organization (RPO) like CBIZ Pivot Point Security to ensure they upgrade their security posture efficiently and pass their assessment and achieve CMMC compliance on the first try.
There can also be negative impacts for firms that fail to comprehensively implement CMMC in line with DoD requirements. Non-compliant businesses will not be able to bid on DoD contracts, which could result in lost revenue and business opportunities. Businesses that falsely represent themselves as compliant with CMMC or NIST 800-171 could also face significant fines under the US Department of Justice’s False Claims Act.
What’s next?
For more guidance on this topic, listen to Episode 122 of The Virtual CISO Podcast with guest Warren Hylton from CBIZ Pivot Point Security.