The Department of Defense has made a requirement for all commercial vendors that are doing business to become Cybersecurity Maturity Model compliant, or CMMC. That means all DoD contractors will need to become CMMC certified by passing a CMMC audit to verify they have met the appropriate level of cybersecurity for their business. This will be a requirement for any organization who wants to hold contracts with the Department of Defense.
Read on for the answers to some common questions about CMMC:
What are CDI and CUI?
Covered defense information is used to describe information that requires protection under DFARS. Clause 252.204-7012. It is defined as unclassified controlled technical information (CTI) or other.
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
When do the certifications take effect?
The DoD has built upon existing DFARS 252.204-7012 regulation and developed the CMMC as a “verification component” with respect to cybersecurity requirements. The DoD has entrusted DoD contractors to achieve compliance, and with continued pressure to ensure 100% adoption of cybersecurity controls, the DoD is updating its policies.
Now is the time for contractors to get an assessment to determine where they stand regarding NIST 800-171 controls and the CMMC level they want to achieve to be certified by the second quarter of 2020.
In the fourth quarter of 2019, the DoD will release the CMMC Levels and their associated NIST 800-171A controls. The DoD will also announce the nonprofit that will be in charge of the certification process and will start training 3rd party certifiers.
What are the 5 CMMC levels and their respective requirements?
Level 1 – “Basic Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement 17 controls of NIST 800-171 rev1.
Level 2 – “Intermediate Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement another 46 controls of NIST 800-171 rev1.
Level 3 – “Good Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement the final 47 controls of NIST 800-171 rev1.
Level 4 – “Proactive” – In order to pass an audit for this level, the DoD contractor will need to implement 26 controls of NIST 800-171 RevB (still in the Public Comments stage)
Level 5 – “Advanced / Progressive” – In order to pass an audit for this level, the DoD contractor will need to implement the final 4 controls in NIST 800-171 RevB.
— Buck Pierce, director solutions engineering, national security and defense