The History of CMMC
The Cybersecurity Maturity Model Certification (CMMC) was created to safeguard sensitive unclassified information across the Defense Industrial Base (DIB) by addressing the gaps in prior regulatory requirements. The Department of Defense (DoD) found that private sector organizations doing business with the federal government were not satisfying the requirements specified in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. The requirements included implementation of National Institute of Standards and Technology (NIST) SP 800-171 for systems processing Covered Defense Information, but did not include official certification or compliance reporting mechanisms. This resulted in organizations not fully implementing controls to a consistent maturity level, ultimately putting the government supply chain at risk. Since an official certification or compliance reporting mechanism did not exist, many companies fell short of their security control obligations, putting the government supply chain at risk.
DFARS 252.204-7021, published Sept 29, 2020, introduces CMMC, which was intended to introduce a tiered standard based off data sensitivity as well as a certification component, validated by external auditors, to assess organizations’ controls against a variety of compliance standards.
Driven by feedback across the industry, CMMC has since reworked into a hybrid certification model. This new version, referred to as CMMC 2.0, was announced on November 4, 2021. The changes are intended to reduce barriers to compliance for small and mid-sized firms while maintaining the goal of protecting the Defense Industrial Base from cyber attacks. CMMC 2.0 focuses on the most critical requirements and streamlines the model from 5 to 3 compliance levels.
CMMC addresses requirements for the protection of FCI and CUI data:
- Federal Contract Information (FCI) – Information not intended for public release. It is provided by or generated for the government under a contract to develop or deliver a product or service to the government. FCI does not include information provided by the government to the public.
- Controlled Unclassified Information (CUI) – Information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
As stated by Acquisition & Sustainment, Office Under the Secretary of Defense, CMMC 2.0 requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.
The New Maturity Level Guidelines
CMMC 2.0 streamlines the maturity model from 5 to 3 compliance levels:
- Maturity Level 1 – Foundational, which allows organizations to conduct self-assessments, against FAR 52.204-21.
- Maturity Level 2 – Advanced, includes 110 practices from NIST SP 800-171 and allows for self-assessment for Controlled Unclassified Information (CUI), but requires Certified Third Party Assessment Organization (C3PAO) to conduct assessments when working with sensitive controlled information.
- Maturity Level 3 – Expert, requires CMMC 2.0 L2 C3PAO certification, adds NIST SP 800-172, and requires an assessment from the DoD when working with the most sensitive controlled information.
To read full download the whitepaper:
Understanding Cybersecurity Maturity Model Certification (CMMC) 2.0 Compliance