It comes as no surprise that the United States Department of Defense (DoD) is an increasingly more frequent target of complex cybersecurity attacks. In an effort to combat this increase in likelihood of attacks, the DoD created a cybersecurity program, called the Cybersecurity Maturity Model Certification or CMMC, to further enhance and bolster its cybersecurity posture and better protect national security-related information. The main goal of CMMC is to provide the DoD the ability to further protect the national security information, Controlled Unclassified Information (CUI), and Federal Contract Information (FCI) that the DoD shares with third party contractors, service providers, and subcontractors. As a result of the mandating of this certification, the DoD is able to gain higher levels of assurance that its contractors are following required cybersecurity standards and practices.
By implementing the CMMC standard, the federal government can encourage a greater number of private organizations to vastly improve their own cybersecurity practices, and then have those cybersecurity practices certified by an independent organization that is not the federal government (that is, the CMMC certification body is not run by the government).
The 3 Levels of CMMC Compliance
CMMC compliance is broken up into three levels. Each level has a set of required practices and controls, and each level builds upon the last.
Level 1: Basic cybersecurity controls and hygiene must be demonstrated to reach CMMC level 1. The basic practices that are required to be demonstrated and implemented for CMMC level 1 are represented within the Federal Acquisition Regulation (FAR) 52.204-21 set of cybersecurity controls. Contractors and suppliers may demonstrate CMMC level 1 compliance through self-assessments and self-attestations for the required controls.
Level 2: In addition to having implemented the practices required for CMMC level 1, an organization with a goal of level 2 compliance must have all National Institute of Standards and Technology (NIST) Special Publication 800-171 controls implemented. Dependent on the type of data processed by an organization, compliance with level 2 CMMC may be met through a couple of different avenues. If an organization is processing critical information, such as CUI or FCI, it would be required to undergo a certified independent third party assessment of the required controls, performed by a CMMC Third-Party Assessment Organization (C3PAO). Organizations that are not processing or handling such critical data may have executive leadership perform and certify a self-assessment.
Level 3: This final level of the CMMC tiers is met when a contractor is able to demonstrate compliance with a particular control subset of NIST Special Publication 800-172. This particular set of NIST controls was designed specifically for organizations that need to be protected against threat actors that typically target the DoD supply chain. This represents over 100 controls that must be implemented in addition to those included in the previous two levels. Organizations that wish to achieve CMMC level 3 compliance are required to have a government-led assessment every three years, performed by the Defense Contract Management Agency.
The new implementation of CMMC is being executed through a multi-year rollout, with an ultimate goal of implementing CMMC compliance requirements across all DoD contracts by late 2025.