What Is CMMC?

CMMC, or the Cybersecurity Maturity Model Certification, is a cybersecurity framework that the United States Department of Defense (DoD) created to protect the data stored by the Defense Industrial Base (DIB).

Broadly, the DIB consists of contractors and subcontractors that work with the Department of Defense — and therefore handle highly sensitive information.

CMMC 1.0

In 2019, the DoD announced its creation of a cybersecurity assessment and certification model. The CMMC’s original purpose was to ensure that the DoD’s suppliers and contractors properly secure and maintain their networks’ controlled unclassified information (CIU) and federal contract information (FCI).

CMMC 2.0

In November 2021 — a little over two years after the DoD announced the first phase of the CMMC — the U.S. agency revealed plans for a strengthened and enhanced CMMC 2.0 program. Phase 2 maintains the original goal of safeguarding sensitive CIU while also minimizing existing barriers to compliance.

The Cybersecurity Maturity Model Certification Phase 2.0:

  • Streamlines requirements for smaller businesses
  • Simplifies and clarifies standards for regulatory, policy, and contract requirements
  • Requires stronger cybersecurity standards and third-party assessments for higher-priority projects
  • Increases DoD oversight of ethical standards
  • barriers to compliance and maximizes ease of execution
  • Encourages a collaborative cybersecurity culture

The 2.0 enhancements aim to strengthen DIB companies’ cybersecurity by facilitating more collaboration with the DoB and empowering contractors to perform self-assessments and report on their compliance.

Pentagon officials are indicating that the Office of Management and Budget (OMB) is likely to approve the CMMC regulations as a “proposed rule” in 2023, and that there will be a comment period of up to one year before the final rules take effect. This would provide companies with additional time to understand and prepare for the anticipated complex regulation. However, it also means that CMMC requirements are not expected to appear in contracts until 2024. According to the fall 2022 unified agenda, the CMMC regulations are currently in the “proposed rule” stage, and a notice of proposed rulemaking is anticipated to be published in May 2023, though these projections are subject to change.

What Is the Purpose of CMMC?

Cyber threats against the defense industrial base are on the rise — and those threats are not only growing more frequent but also more complex. To protect companies in the DIB from these mounting attacks, the DoD needs strong, comprehensive IT safeguards and standards.

CMMC assesses suppliers’ security programs and ensures that those suppliers have sufficient systems in place to protect any CUI that resides on their networks.

It’s designed to reduce vulnerabilities in the supply chain, protect DoD information from breaches, and improve overall cybersecurity practices.

What Is the CMMC Framework?

The original CMMC — or version 1.0 — organized security processes into five tiers of maturity that included:

Level 1: Basic
Safeguards FCI online — 17 practices
Level 2: Intermediate
A transitional level — 72 practices
Level 3: Good
Safeguards CUI in addition to FCI — 130 practices
Level 4: Proactive
Protects CUI and reduces the risk of advanced persistent threats (APTs) — 156 practices
Level 5: Advanced
Progressive cyber program — 171 practices

Each maturity level was built upon the one before it, requiring a company to master all of the practices in one level before moving on to the next.

The streamlined CMMC 2.0 reduces the number of maturity levels from five to three, drops 20 security requirements, aligns more closely with the security controls of NIST SP 800-171, and allows some organizations to self-assess their programs rather than submit to third-party reviews. The new, simplified levels of 2.0 are:

Level 1: Foundational
Requires annual self-assessments — 17 practices
Level 2: Advanced
Requires either annual self-assessments for select organizations — or third-party assessments for critical national security information; Aligns with NIST SP 800-171 policies — 110 practices
Level 3: Expert
Requires government-led assessments; Aligns with NIST SP 800-172 policies — 110+ practices

CMMC Requirements

There are a number of requirements organizations must meet to satisfy certification of CMMC including:

  • identifying and documenting all systems and assets, including data, that are relevant to the protection of Controlled Unclassified Information (CUI)
  • establishing and maintaining a System Security Plan (SSP) that describes how it meets the security requirements outlined in the CMMC framework
  • implementation and documentation practices and procedures for managing access to CUI, including authentication, authorization, and auditing
  • develop and maintain an incident response plan that outlines procedures for responding to and reporting security incidents
  • procedures for regularly monitoring, assessing, and testing its security controls to ensure they are effective
  • demonstrate compliance with the appropriate level of CMMC certification through a formal assessment by a CMMC Third Party Assessor Organization (C3PAO)

Who Must Comply with CMMC?

The Department of Defense works with more than 30,000 contractors and subcontractors. These may include companies in tech, finance, manufacturing, design and development, research, cloud service providers, and more. Under version 1.0, all of them needed to be certified.

Phase 2.0, however, breaks up certification requirements by level. Level 1 companies that protect FCI that are not critical to national security will not need to submit to government or third-party assessments and can rely on self-certification.

Level 2 defense contractors who handle sensitive CUI for national security purposes will need certification, whereas companies handling non-prioritized projects may not.

How Do You Get CMMC Certification?

While some certification details are still under development, the Accreditation Body — or CMMC-AB — is responsible for providing accreditation to the third-party organizations that certify DoD contractors.

These assessors, known as CMMC Third Party Assessment Organizations — or C3PAOs — will be authorized to conduct assessments of contractors’ security networks and provide the certifications that are appropriate for each organization.

CMMC Assessment Types

Self-assessments: are an option where the company conducts the evaluation. This type of assessment is generally used for lower levels of CMMC certification and can help the company identify cybersecurity weaknesses. However, it’s important to note that self-assessments are not always accepted for all certification levels and may require third-party verification to ensure accuracy and validity of the results.

Third-party assessments: this type of assessment is conducted by an external organization that has been authorized by the CMMC Accreditation Body. The purpose of this assessment is to evaluate the company’s adherence to the specific practices and requirements outlined in the CMMC and provide an independent assessment of the company’s cybersecurity. The third-party assessment is a critical component of achieving CMMC certification and is necessary to ensure that companies have implemented effective cybersecurity controls.

Government assessments: this assessment is conducted by the US government and evaluates the company’s adherence to the specific practices and requirements outlined in the CMMC, as well as any additional security requirements specified by the government agency. Government assessments are often conducted in addition to third-party assessments to verify the results or evaluate additional security measures. The primary goal of a government assessment is to ensure that the company has implemented effective cybersecurity controls and measures to protect sensitive information.

What Does CMMC Compliance Mean?

Companies that contract with the US Department of Defense must keep the highly sensitive data that they have access to secure. If you want to contract with the DoD, you must be well-versed in the regulation’s policies, practices, and standards — and if you deal with certain types of data, you will need third-party or government certification, as well.

Adhering to the National Institute of Standards and Technology Special Publication 800-171 — or NIST SP 800-171 framework — is half of the battle, since the new enhancements adhere so closely to NIST’s set of security guidelines.

Companies looking to work with the DoD or place bids for government contracts need to make sure they have effective security practices in place. BigID’s advanced, ML-based security solutions help organizations protect all their sensitive data across the organization, at scale. Here’s how:

Set up a BigID demo to see how we can help you secure highly sensitive national security information.