What Is CMMC? Cybersecurity Maturity Model Certification

Compliance

What Is CMMC?

CMMC, or the Cybersecurity Maturity Model Certification, is a cybersecurity framework that the United States Department of Defense (DoD) created to protect the data stored by the Defense Industrial Base (DIB).

Broadly, the DIB consists of contractors and subcontractors that work with the Department of Defense — and therefore handle highly sensitive information.

CMMC 1.0

In 2019, the DoD announced its creation of a cybersecurity assessment and certification model. The CMMC’s original purpose was to ensure that the DoD’s suppliers and contractors properly secure and maintain their networks’ controlled unclassified information (CIU) and federal contract information (FCI).

CMMC 2.0

In November 2021 — a little over two years after the DoD announced the first phase of the CMMC — the U.S. agency revealed plans for a strengthened and enhanced CMMC 2.0 program. Phase 2 maintains the original goal of safeguarding sensitive CIU while also minimizing existing barriers to compliance.

The Cybersecurity Maturity Model Certification Phase 2.0:

  • Streamlines requirements for smaller businesses
  • Simplifies and clarifies standards for regulatory, policy, and contract requirements
  • Requires stronger cybersecurity standards and third-party assessments for higher-priority projects
  • Increases DoD oversight of ethical standards
  • barriers to compliance and maximizes ease of execution
  • Encourages a collaborative cybersecurity culture

The 2.0 enhancements aim to strengthen DIB companies’ cybersecurity by facilitating more collaboration with the DoB and empowering contractors to perform self-assessments and report on their compliance.

What Is the Purpose of CMMC?

Cyber threats against the defense industrial base are on the rise — and those threats are not only growing more frequent but also more complex. To protect companies in the DIB from these mounting attacks, the DoD needs strong, comprehensive IT safeguards and standards.

CMMC assesses suppliers’ security programs and ensures that those suppliers have sufficient systems in place to protect any CUI that resides on their networks.

It’s designed to reduce vulnerabilities in the supply chain, protect DoD information from breaches, and improve overall cybersecurity practices.

What Is the CMMC Framework?

The original CMMC — or version 1.0 — organized security processes into five tiers of maturity that included:

Level 1: Basic
Safeguards FCI online — 17 practices
Level 2: Intermediate
A transitional level — 72 practices
Level 3: Good
Safeguards CUI in addition to FCI — 130 practices
Level 4: Proactive
Protects CUI and reduces the risk of advanced persistent threats (APTs) — 156 practices
Level 5: Advanced
Progressive cyber program — 171 practices

Each maturity level was built upon the one before it, requiring a company to master all of the practices in one level before moving on to the next.

The streamlined CMMC 2.0 reduces the number of maturity levels from five to three, drops 20 security requirements, aligns more closely with the security controls of NIST SP 800-171, and allows some organizations to self-assess their programs rather than submit to third-party reviews. The new, simplified levels of 2.0 are:

Level 1: Foundational
Requires annual self-assessments — 17 practices
Level 2: Advanced
Requires either annual self-assessments for select organizations — or third-party assessments for critical national security information; Aligns with NIST SP 800-171 policies — 110 practices
Level 3: Expert
Requires government-led assessments; Aligns with NIST SP 800-172 policies — 110+ practices

Who Must Comply with CMMC?

The Department of Defense works with more than 30,000 contractors and subcontractors. These may include companies in tech, finance, manufacturing, design and development, research, cloud service providers, and more. Under version 1.0, all of them needed to be certified.

Phase 2.0, however, breaks up certification requirements by level. Level 1 companies that protect FCI that are not critical to national security will not need to submit to government or third-party assessments and can rely on self-certification.

Level 2 defense contractors who handle sensitive CUI for national security purposes will need certification, whereas companies handling non-prioritized projects may not.

How Do You Get CMMC Certification?

While some certification details are still under development, the Accreditation Body — or CMMC-AB — is responsible for providing accreditation to the third-party organizations that certify DoD contractors.

These assessors, known as CMMC Third Party Assessment Organizations — or C3PAOs — will be authorized to conduct assessments of contractors’ security networks and provide the certifications that are appropriate for each organization.

What Does CMMC Compliance Mean?

Companies that contract with the US Department of Defense must keep the highly sensitive data that they have access to secure. If you want to contract with the DoD, you must be well-versed in the regulation’s policies, practices, and standards — and if you deal with certain types of data, you will need third-party or government certification, as well.

Adhering to the National Institute of Standards and Technology Special Publication 800-171 — or NIST SP 800-171 framework — is half of the battle, since the new enhancements adhere so closely to NIST’s set of security guidelines.

Companies looking to work with the DoD or place bids for government contracts need to make sure they have effective security practices in place. BigID’s advanced, ML-based security solutions help organizations protect all their sensitive data across the organization, at scale. Here’s how:

Set up a BigID demo to see how we can help you secure highly sensitive national security information.