CMMC

THE CMMC PROGRAM

The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the Defense Industrial Base (DIB). It is designed to protect sensitive unclassified information that is shared by the Department of Defense with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the Department increased assurance that contractors and subcontractors are meeting these requirements.

The framework has three key features:

• Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.

• Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.

• Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

CMMC requires that all DoD contractors and subcontractors implement practices and controls to safeguard controlled unclassified information (CUI) and federal contract information (FCI). CMMC will also require that DoD contractors and subcontractors undergo an assessment by a CMMC Third-Party Assessment Organization (C3PAO).

What can you be doing right now?

In preparation for CMMC, organizations across the defense industrial base are taking a serious look at their controls surrounding NIST 800-171 and beginning to understand the differences between NIST 800-171 and CMMC. Some specific areas of focus for DoD contractors include the following:

Define your CUI boundary – In order to understand what level of CMMC you might need, start by understanding your CUI boundary and the types of information that are passing through your environment.

Revisit your system security plan (SSP) – In previous versions of the DFARS clause, DoD contractors were required to develop and maintain an SSP. Now is good time to review and update your SSP, because this will be an integral part of your CMMC assessment.

Revisit your POA&M – If you’ve performed a self-assessment, you should have developed POA&M that outlines gaps and your plan to close those gaps. Before going into your CMMC assessment, you should strive to close out outstanding gaps, and a good first step will be to review and update your POA&M.