The United States Department of Defense (DoD) is gradually implementing (first announced on January 31, 2020) the CMMC model to standardizing cybersecurity preparedness across the federal government Defense Industrial Base (DIB). This new framework is a collection of different processes & other existing frameworks like NIST, FAR, and DFARS.
The primary goal of the CMMC is to improve the security of CUI and FCI that is in the possession of their federal contractors. It is expected that beginning in 2026 CMMC will be a mandatory requirement for all new DoD requests.
To whom does it apply?
The certification applies to both ‘prime’ contractors who directly work with DoD and to ‘subcontractors’ who work with ‘prime’ contractors for the execution of those contracts.
CMMC is important because statistics show that around $600 billion is lost from the global GDP annually due to cybercrime. The DoD has to rely on a large number of contractors across the world to execute its mission. Admittedly, this dependence systematically increases the risk profile of DIB.
The DoD also understands the fact that cybercrime risk is a huge burden on their subcontractors as many of them are small businesses with limited resources. Against this backdrop, the CMMC is released to facilitate the adoption of best practices in cybersecurity.
Different levels of Cybersecurity Maturity Model Certification
There are five levels of CMMC of preparedness from level 1 (lowest) to level 5 (advanced). The certification will ensure the protection of the following 2 types of information from unauthorized use:
- Controlled Unclassified Information (CUI): Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executing Order 13526 or the Atomic Energy Act, as amended.
- Federal Contract Information (FCI): Information, not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service to the government but not including information provided by the government to the public.
Framework Components
The certification has four different components as below:
- Domains
- Processes
- Capabilities
- Practices
Overall certification to a level is achieved when a contractor advances in their assessments in each of these components. Both ‘prime’ contractors and ‘subcontractors’ are assessed on their adherence to the processes and practices.
A quick summary
At present, CMMC seems very complicated as there are a lot of interconnected & moving parts in it. Therefore, the following key points will be helpful for you.
- Domains: 17
- Capabilities: 43 (mainly collections of practices)
- Practices: 171
- Processes: Maturity Levels 1 to 5
- Certification levels: 5
Processes are assessed for maturity levels. Domains are made up of practices and they encompass the processes. Certification to a level requires mastery of the domain including their practices and processes.
How to get CMMC certified
A non-profit and independent Accreditation Body (AB) has been created by DoD to accredit Third Party Assessment Organizations (3PAOs) along with individual assessors. More details will be revealed soon to the public as DoD plans to establish a good marketplace for 3PAOs.