Department of Defense (DoD) contractors have been waiting for the new Cybersecurity Maturity Model Certification (CMMC) program to roll out since the new framework was announced. The updated rules require all DoD contractors to undergo an assessment and certification of their cybersecurity systems including effectiveness to be awarded contracts. The certification program includes five levels which increase in difficulty and complexity corresponding to the contractor’s access to sensitive Controlled Unclassified Information (CUI) during a contract. The transition to the new model along with various program details has left many with more questions than answers about certification, the process, and when certification is required. To help clients, prospects, and others, PBMares has provided a summary of commonly asked questions below.
- What is CMMC? – CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.
- Why is the CMMC being created? – DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides in the Department’s industry partners’ networks.
- What is the relationship between NIST SP 800-171 rev.1 and CMMC? CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 rev1. CMMC incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.
- How will CMMC be different from NIST SP 800-171? Unlike NIST SP 800-171, the CMMC model possesses five levels. Each level consists of practices and processes as well as those specified in lower levels. In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s institutionalization of cybersecurity processes.
- How does my organization receive certification? The CMMC Accreditation Body (AB), a non-profit, independent organization, will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. The CMMC AB will provide the requisite information and updates on its website (cmmcab.org). The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved C3PAOs as well as other information. After the CMMC Marketplace is established, DIB companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.
- How much will CMMC certification cost? The CMMC assessment costs will depend upon several factors to include the CMMC level, the complexity of the DIB company’s network, and other market forces.
- Will there be a self-certification? DIB companies are encouraged to complete a self-assessment prior to scheduling a CMMC assessment.
- Are the results of my assessment public? No, the results of a CMMC assessment will not be made public. The only information that will be publicly available is that your company has a CMMC certification. The specific certification level will NOT be made public. The DoD, however, will have access to all DIB companies’ certification levels.
- How often does my organization need to be reassessed? In general, a CMMC certificate will be valid for 3 years.
- Will other Federal (Non-DOD) contracts use CMMC? The initial implementation of the CMMC will only be within the DoD.
The new CMMC is a complicated model that will require DoD contractors to review, assess, and make necessary changes to cybersecurity controls to bid on future DoD contracts. The best place to start is a CMMC readiness assessment which will review your current infrastructure and identify the changes which need to be made.