The Cybersecurity Maturity Model Certification (CMMC) is the new unified framework to be used by the Department of Defense (DoD) for future acquisitions for both prime and subcontractors that provide goods and services to the DoD. In the past, both prime and subcontractors would need to attest to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 compliance1 as part of the award process. CMMC contrasts DFARS 252.204-7012 by forcing the requirement before award, or “pre-award.”
Contractors will be evaluated based upon the implementation of actual technical controls in addition to their documentation and policies. The CMMC framework adds a certification element to verify that contractors have implemented the practices and processes associated with the achievement of a CMMC maturity level. The CMMC was designed to provide increased assurance to the DoD that contractors can protect Controlled Unclassified Information (CUI) at a risk level commensurate for information flow down in a multi-tier supply chain.
The CMMC encompasses 17 capability domains, five processes across five levels to measure process maturity (CMMC L1-L5), and 171 practices across five levels to measure technical capabilities. As the DoD releases a request for information (RFI) for contracts beginning in June 2020, the DoD will assign a minimum CMMC certification level. Any prime or subcontractor wanting to bid on those contracts will need to certify to that required CMMC level prior to the contract being awarded.
The following is a breakdown of the number of practices and processes introduced at each CMMC level based on version 1.0 of the CMMC framework:
| CMMC Level | Practices | Processes |
| Level 1 | 17 | 0 |
| Level 2 | 55 | 2 |
| Level 3 | 58 | 1 |
| Level 4 | 26 | 1 |
| Level 5 | 15 | 1 |
As you can see from the table, an organization that would need to certify as a CMMC Level 2 would need to certify 72 practices (17 from Level 1 and 55 from Level 2). Of these practices, 17 comply with the Federal Acquisition Regulation (FAR) 48 CFR 52.204-21, 48 are from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171,2 and seven support intermediate cyber hygiene. At CMMC Level 3, an organization would need to comply with FAR, all the practices from NIST SP 800-171, and 20 additional practices to support good cyber hygiene. At CMMC Level 4 and 5, the framework introduces compliance with certain practices based on the draft NIST SP 800-171B framework plus other cybersecurity frameworks such as CIS Controls 7.1, NIST Cybersecurity Framework (CSF), CERT Resilience Management Model (CERT RMM) v1.2, and NIST SP 800-53 r4.
For an organization to certify itself against the CMMC, the organization will need to contract with a third-party assessor organization (3PAO). The 3PAO will provide validation for an organization to the accreditation body, which will then be provided to the DoD as proof of certification. Sikich has helped many companies over the years to meet DFARS 252.204-7012 compliance. Sikich’s team of cybersecurity experts stands ready to assist with meeting and certifying your organization against the CMMC framework.
1 https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
2 https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final
