What Is the Cybersecurity Maturity Model Certification (CMMC)?

What Is the Cybersecurity Maturity Model Certification (CMMC) and Who Does It Apply To?

The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive assessment framework and certification program launched by the Department of Defense to protect the Defense Industrial Base (DIB) from increasingly frequent and complex cyberattacks. It requires organizations, contractors, and subcontractors of the DIB to adhere to enhanced cyber protection standards–based on standards published by the National Institute of Standards and Technology (NIST)–to protect sensitive unclassified information, including Controlled Unclassified Information (CUI), Federal Contact Information (FCI), and all types of Federal data within non-Federal systems.

CMMC compliance is required of any individual in the DoD supply chain, including contractors and subcontractors, reportedly applying to over 300,000 organizations. Not all organizations, contractors, and subcontractors will require the same level of certification, however, which is dependent on the type of data being handled.

What Is CMMC 2.0 and When Will It Go Into Effect?

The current version of CMMC, which was rolled out as an interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS) in September 2020, was considered the DoD’s initial vision for the program and outlined the basic features of the framework. But in November 2021, the DoD launched “CMMC 2.0,” marked by the proposed rule published in the Federal Register that same month, which aims to:

  • Simplify compliance by allowing self-assessment for some requirements
  • Apply priorities for protecting DoD information
  • Reinforce cooperation between the DoD and industry in addressing evolving cyber threats

The planned schedule currently calls for CMMC rulemaking to be complete by May 2023, and it is expected (but not guaranteed) to start appearing in DoD contracts in July 2023, roughly 60 days after the rulemaking process is complete.

The 3 Levels of CMMC 2.0

CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. And once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award. Any organization that handles CUI, for example, should plan to be compliant with at least Level 2 by July 2023.

Level 1 (Foundational)

This level is for organizations that only have FCI, and is comparable to the old Level 1 in CMMC 1.0. Level 1 is based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information, which focuses on protecting FCI. Companies and organizations within this level must conduct an annual self-assessment to prove they are compliant in order to get their certification.

Level 2 (Advanced)

As mentioned earlier, this level is for organizations that work with CUI and is comparable to the old Level 3 in CMMC 1.0. Level 2 requirements are in complete alignment with NIST SP 800-171 requirements. When it comes to certification, organizations within this level are split into two groups:

  • CUI with prioritized acquisitions: Organizations that have CUI with prioritized acquisitions, which is information deemed critical to national security, will be required to undergo third-party assessments for certification every 3 years.
  • CUI with non-prioritized acquisitions: CUI without prioritized acquisitions, which is information not critical to national security, can perform an annual self-assessment for their certification as Level 1 organizations do.

Level 3 (Expert)

This level is for organizations that work with high-priority CUI and is comparable to the old Level 5 in CMMC 1.0. This level will use NIST SP 800-171 requirements and a subset of NIST SP 800-172 requirements. Level 3 organizations will always be subject to a government-led assessment for certification every 3 years.

How To Get a Head Start On CMMC Compliance

With CMMC 2.0 likely only months away from coming into effect, getting a head start on CMMC compliance will be key to success. Preparation can begin by implementing a data classification solution, which organizes data into categories, gives you more control over your data, and makes data easier to locate and retrieve. Or to go a step further, implementing a data classification solution pre-configured for handling CUI makes it easy for organizations to implement the CUI framework required by CMMC and NIST SP 800-171 standards accurately and consistently.

Learn more about our easy-to-deploy, pre-configured data protection solution, Titus Config for CUI, by watching our on-demand demo today.

This post was first first published on Titus website by Robbie Araiza. You can view it by clicking here