What Is CMMC?
The CMMC Model was developed in part because of DOD’s need for assurance that the DIB is wholly conforming and adhering to the cybersecurity standards for CUI and FCI, outlined in NIST 800-171. Given the surge in cybersecurity breaches, the DoD must limit its risk to sensitive data.. CMMC provides DoD with the information it needs, regarding conformance, giving DOD increased confidence that shared sensitive data remains secure.
The requirement for adherence to the NIST 800-171 is not new. It is a requirement that is CURRENT and ACTIVE for all organizations in the Defense Industrial base.
NIST 800-171 was published in 2015, and it is expected all organizations working with FCI and CUI under contract with the DOD, have compliance with NIST 800-171 standards and are self-attesting to this conformance. Where organizations do not meet the standard, FAR 5.204-23 and DFARS 252.204-7012 outline the requirements in place today. Organizations must have a Plan of Action and Milestones (POA&M) in place to remediate the gaps in alignment. There are rules listed and penalties when organizations are not in compliance, including loss of the contract, breach of contract, failure to be awarded a contract, loss of the chance to bid on future federal solicitations, and penalty with prosecution under the False Claims Act. Therefore, despite the fact the CMMC Model has not yet been formally released and mandated, it is crucial that organizations ensure their environments are secure now and follow the NIST 800-171 requirements the CMMC intends to certify.
Some history, the CMMC 1.0 Model created a baseline with a set of important cybersecurity practices. The CMMC model seeks to provide an established set of standards to which organizations must conform. The defined cybersecurity domains aid organizations in the alignment of their cybersecurity infrastructure, policies, and procedures regarding sensitive information to remove cybersecurity risk.
The CMMC, version 1.0 model was released for comment, and after receiving significant input from all areas of industry including University Research Centers and Labs, the Department of Defense Office of the Under Secretary of Defense, cybertechnology professionals and businesses, and others in the cyber technology industry, the Department of Defense deemed it necessary to modify and restructure the CMMC Model 1.0. In November 2021, DOD released CMMC 2.0. Although it appears CMMC is undergoing a significant delay, the Department of Defense states that time and input are necessary to get the CMMC version 2.0 “right”. So, when most of the Defense Industrial Base achieves CMMC, there will be a collective robust, and effective cybersecurity ecosystem for all parties.
It is expected CMMC will be required by over 300,000 partners, organizations, and clients in business with the Department of Defense. CMMC will mandate organizations focus on their internal policies and procedures to protect CUI (Controlled Unclassified Information) and FCI (Federal Contract Information). FCI (Federal Contract Information) is defined as information that is generated for or provided by the government under a contract to develop or deliver a good or service but excludes information that the government makes available to the general public (such as on public Web sites) or simple transactional information, i.e. information related to process payments. CUI (Controlled Unclassified Information) is information that is not classified, but it is sensitive information that may be subject to restrictions on how it is published and shared with others.
The Department of Defense has created a list of goals it expects the effective adoption and certification of the CMMC 2.0 framework to help achieve. The CMMC cybersecurity best practices and standards aim to:
- Protect and enable warfighters’ sensitive information
- Improve DIB cybersecurity in response to evolving threats
- Maintain accountability while minimizing barriers to DoD compliance
- Build a culture of cybersecurity and cyber resilience through collaboration
- Maintain high ethical and professional standards to maintain public trust
Although organizations should be currently adhering and self-attesting to the NIST 800-171 best practices for cybersecurity standards, it is expected that all the CMMC 2.0 certification assessing compliance to these cybersecurity standards, will not be required by the Department of Defense until 2026.
What Is CMMC Certification For My Organization?
CMMC Certification confirms your organization has successfully been appraised and has adopted cybersecurity procedures in accordance with the standards set forth in NIST 800-171 and the Department of Defense, CMMC 2.0 Model key practice areas. Successful CMMC certification confirms an organization has the capability to protect FCI and CUI data. The CMMC Model applies to all organizations engaged in DoD business or are attempting to win business with the DoD and uses contractor networks to process, store, or transmit FCI or CUI.
Organizations seeking to be certified in CMMC 2.0, Maturity Level 1, may perform a self-assessment on limited domains within the CMMC Model. Self-assessments are typically for organizations that handle FCI data only. Organizations seeking certification in the CMMC Model, Maturity Level 2, in the Defense Industrial Base (DIB), must undergo an appraisal conducted by a licensed CMMC Appraiser, in cooperation with a CMMC Third Party Organization (C3PAO). With a successful Level 2 appraisal result must be greater than or equal to 80% (88/110 practices “MET”), organizations will have achieved alignment with the CMMC Model 2.0.
Top 10 reasons an organization must work toward – and eventually have – a CMMC Certification
1. Proof
The CMMC Certification provides independent evidence.
Evidence of compliance with NIST 800-171 standards.
Evidence your organization’s cybersecurity infrastructure adheres to the CMMC Model and, more crucially, protects sensitive CUI as mandated by the DOD.
2. Examine Current Posture
CMMC Certification necessitates a thorough examination of an organization’s present cybersecurity posture, allowing it to claim complete compliance with the Department of Defense’s specifications.
3. Reassuer And Avoid Risk
CMMC (Cybersecurity Model Maturity Certification) arose from the need to reassure the Department of Defense that its security standards, defined and published in 2015, NIST 800-171, were being consistently and accurately implemented by organizations. It is evident a missing link in the supply chain, organization, sub-contractor, one system, one person, or a single process might result in a catastrophic cybersecurity disaster for both the organization and the Department of Defense.
4. Comply With DoD Contracts
CMMC v.2.0 rulemaking has not yet been formally published in DFARs for use in the Defense Industrial Base, but once it is, ALL organizations under contract with, or seeking to contract with, the Department of Defense must conform to the cybersecurity criteria established by the CMMC model. A valid CMMC certification demonstrates compliance. However, today’s current regulations under FAR 52.204-21 and FARS 252.204-7012, require organizations to already:
- They have implemented basic safeguarding for FCI (FAR 52.204-21 ).
- They have implemented basic safeguarding for CUI (DFARS 252.204-7012).
- List gaps on a Plan of Action and Milestones (POA&M) for CUI (DFARS 252.204-7012).
If an organization is not actually in compliance, they are at risk of a False Claims Act.
5. Uphold And Adhere To DoD’s Policies On CUI and FCI
CMMC Certification is the proof and accountability organizations in the Defense Industrial Base are upholding cybersecurity processes, defined in NIST 800-171, and expected by the Department of Defense. The DOD expects its IT infrastructure to remain secure when it shares FCI (Federal Contract Information) and CUI (Controlled Unclassified Information) with its partner organizations. CMMC Certification strives to define the “cybersecurity playing field” by outlining the NIST 800-171 cybersecurity standards for organizations and encouraging businesses to conform their corporate cybersecurity policies and processes with the CMMC Model requirements.
6. Align With The President’s Executive Order 12028 On Cybersecurity
CMMC Certification reflects the general intent of the President’s May 12, 2021, Executive Order 12028. In this Executive Order, President Biden solidifies the requirement needed for the industry to reduce the risk of cybersecurity attacks and interference, with the requirements detailed for businesses in relationship with the federal government. Executive Order 12028 states, “It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security. The Federal Government must lead by example. All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.”
7. Prevent, Detect, Assess, And Remediate
CMMC certification and renewal mandate organizations to create a cybersecurity posture for their firm that must be maintained, reviewed, updated, and followed. CMMC provides a framework for businesses to analyze their internal cybersecurity procedures and processes to fulfill and plan for the “prevention, detection, assessment, and remediation” of cybersecurity processes to best avoid risk. By doing so, organizations demonstrate to the DoD they are actively working to monitor and limit risk, and to engage proactively in the obligations outlined in NIST 800-171 on a continuous basis.
8. Demonstrate
Successful CMMC Level 2 certification for an organization demonstrates adherence to a comprehensive set of fourteen security domains and 110 best practices in the CMMC model. The source of CMMC was developed based on multiple NIST standards set forth in the following cybersecurity framework and standards including:
- NIST 800-171
- NIST 800-171 B
- NIST 800-172
- NIST 800-53
- United Kingdom Cyber Essentials
- Australian ACSC Essential Eight
- CIS Controls, v. 7.1
- Cert RMM v. 1.2
9. Perform Gap And Self Assessment
CMMC certification encourages organizations to perform a comprehensive gap and self-assessment, against the CMMC framework to gauge its current cybersecurity state. Today, it is expected organizations working with the Department of Defense mandates have a “Supply Performance Risk System Score” (SPRS).
10. Gain In Cybersecurity Maturity
CMMC certification encourages organizations to not only comply with the standards set forth in the CMMC model but to adopt and consistently incorporate cybersecurity maturity. CMMC certification is predicated on the progressive achievement of “levels of compliance” known as “maturity levels.” The goal is to “institutionalize” cybersecurity standards across the whole Defense Industrial Base, and this will be accomplished by requiring compliance from all the organizations that make up the Defense Industrial Base.
