Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a training, certification, and third-party assessment program of cybersecurity for DoD contractors (also referred to as the Defense Industrial Base or DIB). Why should you care about CMMC? FAR and DFARS clauses require it. It will be a factor in proposal scores (e.g. the Polaris GWAC scores 6,000 points for cybersecurity and 5,000 for risk assessment compared to 750 points for CMMI certification). NASA, DHS, GSA, and other government organizations are expected to follow DoD with the implementation of CMMC. These are the important bullet points for CMMC:

• FAR 52.204-21. Basic Safeguarding of Covered Contractor Information Systems. Correlates with the CMMC Level 1 requirements for protecting Federal Contract Information (FCI).
• DFARS clause 252.204.7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (October 2016) required compliance with NIST SP 800-171 no later than December 31, 2017.
• DFARS clause 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements (November 2020). Suppliers are required to perform an assessment for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order, at a Basic, Medium, or High level in accordance with the NIST SP 800-171 DoD Assessment Methodology and submit their score (not more than 3 years old) in the Supplier Performance Risk System (SPRS). A Basic assessment is a self-generated score. A Medium assessment is performed by the Government. A High assessment includes everything in a Medium assessment as well as validation of the contractor's System Security Plan (SSP).
• DFARS clause 252.204.7020 NIST SP 800-171 DoD Assessment Requirements (November 2020). Defines Basic, Medium, and High assessments.
• DFARS clause 252.204-7021 Cybersecurity Maturity Model Certification Requirements (November 2020). Requires CMMC certificate at the CMMC level appropriate for the information that is being flowed down to the contractor.
• CMMC v1.0 was released on January 31, 2021.
• CMMC v2.0 was released on November 4, 2021. Per Town Hall sessions held by the Deputy DoD CIO (David McKeown) in February 2022, CMMC v2.0 is not expected to be finalized until it completes the DoD rulemaking process which could take up to 24 months. The new version simplified the program:
  • 3 Levels
    • Level 1. Foundational
      • For contractors and subcontractors that only handle Federal Contract Information (FCI) as defined in the FAR. The DoD estimates that about 140,000 such companies exist in the DIB.
      • 17 security controls aligned with FAR 52.204-21.
      • Annual self-assessment.
    • Level 2. Advanced.
      • Allows CUI handling.
      • Aligns with NIST SP 800-171 rev 2. 110 security controls. The rumor is that the "delta 20" which were in the CMMC v1.0 Level 3 will be added in to NIST SP 800-171 version 3. These include FAR Clause 52.204-21, NIST SP 800-53 Rev. 4, an d NIST Cybersecurity Framework (CSF) v1.1). Includes Level 1 requirements.
      • Annual self-assessment.
      • Triennial 3rd-party and government-led assessments for some Level 2 programs. The original estimate is that 40,000 companies will require 3rd party assessment. Per the February 10, 2022 Town Hall, Deputy DoD CIO David McKeown said further analysis has shown all 80,000 CMMC Level 2 DIB contractors will require third-party assessments.
    • Level 3. Expert.
      • NIST SP 800-172 Enhanced Security Requirement for Protecting Controlled Unclassified Information, a supplement to NIST SP 800-171. Includes Level 2 requirements.
      • Only about 500 companies out of 300,000 in the DIB will be subject to Level 3 certification.
      • Triennial 3rd-party and government-led assessments via the Defense Contract Management Agency Defense (DCMA) Industrial Base Cybersecurity Assessment Center (DIBCAC).

• "CMMC eMASS" is expected to be available to the DIB to store assessment artifacts, create POA&Ms, and maintain the System Security Plan (SSP). Expected April/May 2022.
• A Plan of Action and Milestones (POA&M) will be allowed for up to six months for non-compliant controls. POA&Ms for the highest-weighted requirements will not be allowed. A minimum score will be required to support certification with POA&Ms. Waivers will be allowed on a very limited basis, accompanied by strategies to mitigate CUI risk. Waivers will be time bound and require senior DoD approval.
• The Department of Justice announced in their Civil Cyber-Fraud Initiative that they will utilize the False Claims Act to pursue cybersecurity-related fraud by government clients (which includes falsely claiming compliance with CMMC). 
• The government may offer incentives for DoD contractors who comply earlier than the CMMC v2.0 implementation deadline (or when it makes it through the rulemaking process and the DFARS clauses are allowed in contracts).
• DoD will lay out the new policies, such as waiver processes, through Title 32 National Defense regulations. The Pentagon will also codify the policy into Title 48 Federal Acquisition Regulations (FAR) and Defense Acquisition Regulation Supplement (DFARS) so contracting officers can use CMMC 2.0 in acquisitions. This could take up to 2 years (expect CMMC 2.0 to be in contracts by summer 2023). Rulemaking under 32 CFR is required to establish the CMMC program. Rulemaking under 48 CFR is required to update the contractual requirements in the DFARS to implement the CMMC 2.0 program. Until rulemaking formally implements CMMC 2.0, the DIB's participation in CMMC will be voluntary. Expect the final CMMC Rule 32 CFR and 48 CFR between December 2022 and May 2023.
• The CMMC Assessment Process (CAP) was released on July 26, 2022. C3PAOs can begin assessing DIB companies now.
• CMMC Roles:
  • OSC. Organization Seeking Certification
  • C3PAO. CMMC Third-Party Assessor Organization. Contract with OSCs, hire and train certified assessors, schedule assessments, and manage assessments.
  • Assessors. Certified CMMC Professionals (CCP) and Certified CMMC Assessors (CCA). Credentialed to conduct assessments at a particular level (1, 2, or 3).
  • RP. Registered Practitioner. Individuals that provide advice, consulting, and recommendations to their clients. Do not conduct Certified CMMC Assessments.
  • RPO. Registered Provider Organization. Implementers and consultants that assist companies with CMMC. Do not conduct Certified CMMC Assessments.
  • LPP. Licensed Partner Publisher. Publish educational courses and content related to CMMC.
  • LTP. Licensed Training Partner. Provide education and training services related to CMMC.