The information in the article below has been superseded by CMMC 2.0 in mid-November 2021.
What is CMMC?
Cybersecurity Maturity Model Certification (CMMC) is the cybersecurity certification standard that the Department of Defense (DOD) is phasing in over the next five years. Beginning October 1, 2025, all DOD contracts will have a CMMC compliance requirement. If your organization is involved in or plans to become part of the DOD supply chain and has not looked at CMMC compliance requirements, now is the time to start planning. For those who have started to review CMMC compliance, this series of articles will provide basic through more detailed information on CMMC readiness and the certification process.
Who must comply?
Any organization involved in the DOD supply chain who handles federal contract information (FCI) and/or Controlled unclassified information (CUI) must comply. Involvement in the DOD supply chain includes primary contractors and any subcontractor or their subcontractor down to the lowest level. That is, an organization is still required to obtain certification even if they do not contract directly with the DOD. The contract/subcontract is required to specify the need for a contractor to process, store, or transmit FCI and/or CUI.
According to Federal Acquisition Regulation (FAR) Clause 52.204-21, FCI is defined as follow:
Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
According 32 CFR Part 2002.4(h) CUI is defined as follow:
Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see paragraph (e) of this section) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.
The certification requirement applies to all DOD contractors/subcontractors regardless of their size. The appropriate FAR clauses are required to be included in all contracts and subcontract requirements, so an organization understands the CMMC certification requirements.
What are the Compliance Levels?
CMMC certification has five levels. To date, security objectives for levels one through three have been defined. The basis for the practice areas is the National Institute of Standards and Technology (NIST). NIST SP 800-171 is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). The DOD request for information or quote will indicate the level of certification required.
Level one certification is required for contractors/subcontractors who handle FCI. Level one requires compliance in the following 6 domains and 17 practice areas. The following is documented by domain with a summary of the practice objectives within that domain.
- Access control – limit access and types of access to internal, external, and publicly facing systems.
- Identification and Authentication – identify and authenticate users, processes, or devices, prior to allowing access.
- Media Protection – sanitize or destroy information system media.
- Physical Protection – limit, monitor, log and control physical access to organizational information systems, equipment, operating environments to authorized individuals.
- System and Communications Protection – monitor, control, and protect organizational communications
- System and Information Integrity – manage information system flaws, provide protection from malicious code, and perform periodic scans.
Level two certification is a transition stage between level one and level three. Level two adds 9 domains, 55 additional practice areas and two process maturity requirements. For a total of 15 domains and 72 practices. Level two maturity requirements include; 1) establishing a policy for each of the 15 domains, and 2) establish and maintain the plan for performing the 72 practices defined in the domain policies.
Level three certification is currently the highest level of certification for which domains and practices are defined. Level three adds 2 domains, 58 additional practice areas and one process maturity requirement. For a total of 17 domains and 130 practices. Level three maturity requirements include: 1) establishing a policy for each of the 2 additional domains, and 2) establish and maintain the plan for performing the additional 58 practices defined in the domain policies, and 3) provide adequate resources for performing the process, developing the work products, and providing the services of the process.
Watch for future articles with additional details on certification levels, scoping, and assessment criteria and methodologies.
McKonly & Asbury is on the path to obtain certification as the C3PO Assessor Organization by mid-2022. Visit our CMMC webpage or contact us today with any questions or to schedule an initial consultation.