What is CMMC? An Introduction to the Cybersecurity Maturity Model Certification

CMMC
Written By Lucy Marsden

Initial industry pushback, shifting timelines, and changing requirements have contributed to confusion and uncertainty about CMMC. Today's blog provides readers with clarity on critical questions. Understanding these basics is essential to your organization’s CMMC success. 

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC 2.0) is a framework developed by the United States Department of Defense (DoD) to improve cybersecurity practices among its contractors and reduce the risk of cyber attacks against defense systems. As a set of standards and assessment framework, CMMC will ensure that all contractors and service providers working with the DOD have the appropriate level of cybersecurity in place. It provides guidelines for implementing cybersecurity measures at three graduated "maturity levels." The framework is designed to be flexible and adaptable, allowing organizations to implement the appropriate level of cybersecurity measures based on their specific needs and the sensitivity of the information they handle. There have been two versions of CMMC. The first was published in 2019, and the second model was released in 2021.

What is the Difference Between CMMC 1.0 and CMMC 2.0? 

After the initial version of CMMC (CMMC 1.0) was met with widespread criticism, the DoD modified the framework. The DoD replaced the 2019 framework with CMMC 2.0 in 2021. It is a more dynamic, flexible, and industry-friendly version of the original. The updated structure and requirements are designed to reduce compliance and certification costs, especially for small businesses, build trust in the assessment ecosystem, and redefine CMMC cybersecurity requirements in alignment with widely recognized cybersecurity standards.

CMMC 2.0 Levels 

CMMC outlines and assesses the implementation of cybersecurity requirements in organizations that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). 

The framework has three levels, each of which consists of a set of practices that organizations must implement to achieve that level. The CMMC framework is coupled with a certification program to assess an organization's compliance with CMMC, verify its implementation of cybersecurity practices, and determine its level of achievement. 

Level 1: This level includes 17 basic safeguarding requirements for Federal Contract Information (FCI) specified in the FAR Clause 52.204-21. Achieving level 1 certification means organizations are eligible to handle FCI. It requires annual self-assessment. 

Level 2: This level includes the 110 security requirements for CUI specified in NIST SP 800-171 Rev 2 per DFARS Clause 252.204-7012.

Level 3: Level 3 focuses on reducing the risk of Advanced Persistent Threats (APTs). Information about this level will be released at a later date and will contain a subset of the security requirements specified in NIST SP 800-172.

To achieve a particular level of CMMC, an organization must also demonstrate that it has achieved all of the practices associated with the lower levels. If an organization does not meet the requirements for its target level, it will be certified at the highest level for which it has met all applicable practices.

What is the Timeline for CMMC? 

Compliance will be required once the framework is implemented via the federal rulemaking process. Rulemaking can take up to 24 months, and while CMMC's timeline has been a topic of debate, we now know CMMC will almost certainly be implemented in March 2023. After sixty days for public comment, in May 2023, CMMC requirements will begin appearing in new and renewing contracts. By October 1, 2025, the rollout will be complete, and CMMC will be mandatory across the Defense Industrial Base (DIB). 

Who Is Required to Comply with CMMC?

The first question many DoD contractors have when confronted with CMMC is whether CMMC applies to them. If you are a defense industrial base (DIB) member, the answer is probably yes. With few exceptions (COTS acquisitions, micro-purchases, and waivers), CMMC requirements will be mandatory, sub-contractors included!

How Do I Determine What Level to Comply With? 

If you work with federal contract information (FCI), or are subject to FAR 52.204-21, you are likely subject to CMMC Level 1. If you are subject to DFARS 252.204-7012 or work with controlled unclassified information (CUI), you are likely required to obtain CMMC Level 2 Certification. If you work with CUI on particularly high-priority programs, you may be subject to Level 3 requirements. 

If you don’t know what type of data you work with or if you are FAR/DFARS compliant, try reviewing your contracts or bids. The information should be listed there. 

Most DIB members - 140,000 organizations - need only level 1 certification. About 80,000 DIB members will require level 2 certification. Few contractors (roughly 500) will be subject to level 3 controls. 

What About Costs?

Certification costs will vary widely depending on business size, maturity level requirements, pre-CMMC cybersecurity practices and policies, and approach. Achieving certification may cost some businesses as little as $30,000. Others may spend upwards of $750,000! In later blogs, we will explore strategies for making the process more affordable. 

How Do I Comply? 

Watch for our next post if you're wondering how to make CMMC certification happen for your organization! We'll be introducing the CMMC compliance and assessment processes. In the meantime, you can reach out with suggestions, questions, and comments here or book a meeting to chat with us. We'd love to hear from you! 

Lucy Marsden
Previous

Introduction to CMMC Level 1 
Next

Announcing XQ’s CMMC Series