CMMC Compliance Basics Explained

Date Icon
Feb 14, 2024
Post Image

Cyber attacks pose a significant risk to the employees, customers, and financial stability of most businesses. For U.S. Government contractors, these attacks also pose a threat to national security. In response to these threats, the U.S. Government has adopted a stricter stance on the level of risk it is willing to tolerate from its contractors. The introduction of the Cybersecurity Maturity Model Certification (CMMC) is a strategic move to enhance the protection of governmental data against supply chain cyber threats.


What is CMMC compliance?

The United States Department of Defense (DoD) established the CMMC compliance program to safeguard critical and sensitive government-related data managed by private sector organizations. This encompasses businesses of all sizes, which may become targets for cyber threats from entities seeking to undermine the U.S. or pilfer/steal information.

Earlier regulations for CUI protection relied solely on self-certification without stringent validation, leading to frequent data breaches within non-federal entities under these initial guidelines. This pattern of breaches doesn't imply misconduct by affected parties but highlights the need for stricter verification to ensure compliance. The challenges in safeguarding government and sensitive data, as outlined in a report by the National Defense Industrial Association (NDIA), underscore the necessity for more robust measures.

Who is required to be CMMC compliant?

Upon full implementation of the CMMC program, only businesses with valid CMMC certification will be eligible for contracts involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This means uncertified companies will be excluded from handling sensitive government data, a change that poses challenges for long-standing government contractors unaccustomed to the expenses of comprehensive cybersecurity measures.

The article employs numerous abbreviations common in U.S. Government contexts, explained upon first use and summarized in a glossary. Despite CMMC's lengthy development, bureaucratic hurdles delay its full rollout, though existing regulations already mandate the safeguarding of sensitive data by DoD contractors.

Department of Defense Contracts Already Require CUI Security and FCI

The mandate to secure CUI is established in DFARS 252.204–7012, a clause integral to all DoD contracts since 2013. The presence of this clause in a contract doesn't automatically indicate the involvement of CUI, but it requires its protection if applicable. This clause outlines the necessary measures for handling CUI, adopting security protocols from NIST SP 800-171, aimed at safeguarding such information within non-federal entities.

The contract requirement to protect information related to Federal Contract Information has been included in all government contracts for many, many years. This requirement is described in the Federal Acquisition Regulation (FAR) 52.204-21 Basic Safeguarding of Covered Contractor Information Systems. From the FAR rule, there are 15 security controls. These equate to 17 controls in NIST SP 800-171 (1 control was split apart which accounts for the increase).

The Foundation off CMMC is NIST SP 800-171

CMMC draws its core structure from NIST SP 800-171, which in its second revision encompasses 110 primary controls, further elaborated through additional objectives leading to over 300 specific actions for implementation and verification. While the third revision of NIST SP 800-171 is available in draft, its finalization might prompt updates to the CMMC framework, although no schedule for such updates is currently established.

CMMC Compliance Levels

CMMC is structured into three tiers, escalating in the complexity and number of security protocols. Levels 1 and 2 will encompass the bulk of entities, with only a select few needing to meet the stringent criteria of level 3. Key distinctions among the levels include the type of government data handled, the quantity of security measures required, and the intensity of the certification procedure.

CMMC Level 1

CMMC Level 1 is designed for entities engaging with the Federal Government and handling FCI but not CUI. It involves 17 basic security measures from NIST SP 800-171, potentially allowing initial self-certification, with future policy clarity pending.

CMMC Level 2

CMMC Level 2 caters to organizations managing CUI, requiring full compliance with the 110 controls in NIST SP 800-171, verified through third-party audits.

CMMC Level 3

Level 3, the most rigorous, is for those dealing with highly sensitive CUI in critical government programs, mandating adherence to 145 controls from NIST SP 800-171 and SP 800-172, with audits possibly involving both third-party auditors and DoD's DIBCAC, subject to ongoing discussions on audit leadership responsibilities.

Secure Your Business