Menu
In January 2020, the Department of Defense released v 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework to better assess and improve the cybersecurity posture of the Defense Industrial Base (DIB). CMMC’s purpose is to ensure that appropriate levels of cybersecurity practices and processes are in place to protect federal contact information (FCI) and controlled unclassified information (CUI).
The CMMC is a security framework that was developed to extend the safeguards beyond the government agencies. It consists of three levels of certifications ranging from “Foundational Level” to “Advanced Level” to “Expert Level”.
The current DFARS clause doesn’t require 3rd-party assessments, contractors may self-attest that they have complied with NIST 800-171. CMMC, will however require independent, third-party assessments in order to achieve certification.
The implementation of CMMC in Department of Defense contracts was a major concern upon release of the model.
Fortunately, near the end of 2020, the governing agencies gave insight into some of these questions. The first and most note, is a date which we can expect to see a CMMC requirement on all contracts and solicitation from the DoD: October 1st, 2025
This seems like a long ways off, but there is a still a chance your contract will come under the scope of a CMMC clause requiring certification before then. They plan to slowly begin trickling the CMMC clause into specific, selected contracts over the next few years leading up to October 1st, 2025, when every DoD contract will contain a CMMC requirement. Each year, we’ll see more and more contracts with the CMMC clause in them.
The Key Takeaway:
While there are several years before the clause reaches all contracts, it is inevitable and you could find yourself facing a CMMC requirement earlier than that.
Obtaining CMMC certification has become a topic of much confusion and indirect information. Here are a few things that we know for sure.
Review of Questionnaire information provided to ACCMAUDIT.
Assessment Score Reported in SAM – A Full score and REPORT will be uploaded into SAM for Contract Evaluation.
Gap Analysis Full Report– A report containing all controls, findings, and technical data supporting score.
* Credit will be given if a customer wants to move from a Quick Assessment to a Full Assessment.
Executive Summary Report – A customized report of assessment results for executive management and/or Board of Director’s consumption. This concise report summarizes all the assessment activities and findings, bringing attention to top recommendations in each phase.
Full Report – A very detailed report containing all controls, findings, recommendations, and technical data supporting score. This report is generally used by operational personnel who will be engaged in developing road maps and remediation.
NIST CSF Report – A very detailed report correlating all assessment, findings, and recommendations to the NIST CSF. This is a helpful report for organizations who have chosen the NIST CSF as their framework for managing information security to.
SAM Posting – Assessment Score Reported in SAM – A Full score and REPORT will be uploaded into SAM for Contract Evaluation.
Vulnerability Scan Risk Report – Gap Analysis Full Report plus Technical data report showing the risks related to all vulnerabilities discovered during vulnerability scanning. This report is useful for personnel who are engaged in patching and configuration management.
Act as Project Manager to Develop a prioritized Improvement Plan to improve score & security, management of customer teams to resolve prioritized items in the Improvement Plan. Re-assess at critical points and update scores with related documents.
The Cybersecurity Maturity Model Certification is a new standard that will take the place of NIST 800-171 on DoD contracts. CMMC is not entirely derived from NIST 800-171; rather, it builds upon it along with many other regulations to create five levels of certification that will better reflect the type of cybersecurity that a contractor will need to attain for a particular contract.
Yes. Version 1.02 is available at https://www.acq.osd.mil/cmmc/.
Yes. Many of the same controls that are in NIST 800-171 will be included in CMMC along with controls from other standards such as ISO, FedRAMP, and various NIST frameworks. CMMC also requires a 3rd party audit in order to gain certification, whereas 800-171 is a “self-certification”.
Nope.
Existing DoD contracts that contains the 252.204-7012 DFARS clause will still require your organization to provide documentation proving compliance with 800-171. We don’t know if Contracting Officers will be asked to modify active contracts to swap CMMC and 800-171. This may end up being a per-contract decision. CMMC is different than NIST 800-171, but the controls can be mapped from 800-171 to the levels of certification within CMMC.
Yes. All companies doing business with Department of Defense will need to obtain CMMC. Even if you are a subcontractor.
We’re not sure yet. This will depend entirely upon what level of certification your contract requires and the sensitivity of the information you handle. We can say this: ALL companies handling CUI can expect to need to certify at a CMMC Level 3 certification (which will include all 110 controls from NIST 800-171) at a minimum. Levels 1 and 2 will be required of companies that handle FCI (Federal Contract Information) while Levels 4 and 5 will be required among a small subset of contracts handling extremely sensitive information. The safe bet at this point is to shoot for a Level 3.
1. Get NIST 800-171 documentation out of the way. This will get you through many of the CMMC Level 3 requirements and keep you compliant with the current DFARS clause.
2. Identify the remaining CMMC requirements you expect to be subject to (future RFPs or your prime will determine what level you need to meet). Be ready to address any gaps you find and implement solutions to remediate them since CMMC requires 100% implementation. Identify and hire a reputable cyber company to help with pre-audit support.
3. Identify an authorized 3rd party to audit your assessment and give you a certification for the level you need. There are currently no companies that are accredited to give an official CMMC audit and certification, but the CMMC AB has indicated a small number will be available soon.
Current information suggests most CMMC levels will require recertification once every 3 years.
We can’t say for sure. That depends entirely on the market. Our software is cost-effective and practical. Our existing 800-171 platform can get you your NIST 800-171 documentation, and when the time comes, we’ll migrate you to the new CMMC standard at no additional cost. We’ve also screened several auditing organizations and selected our partners based on the promise that they keep their costs low when working with our clients. The cost and associated assessment will likely scale with the level requested. You will need to become an accredited 3rd party commercial certification organization. We are not sure what the exact steps are on how to get this done right now. We do know that you will need to go through some sort of a vetting process to become an accredited auditor. Once you’ve become accredited you will be able to start auditing companies and handing out certifications.
An organization called the CMMC Accreditation Body. This is a non-profit organization that has signed an MOU with the DoD and will be the entity vetting and selecting C3PAOs.
No. They have made it quite clear that they do not want the organizations who are performing the audits to also be the ones implementing the CMMC requirements for the contractor.
Like NIST 800-171, it is a requirement of CMMC to provide a System Security Plan as well as policies and procedures on how you implement the practices found in CMMC. The auditor will most likely need to provide a Report on Compliance, like that of PCI and FedRAMP.
Yes. If you want to be a successful CMMC auditor, it is important to keep the same goals in mind as the folks pushing CMMC. They want this to be cost-effective. That means we’re not dealing with a whole lot of “enterprise” customers here. We’re talking about the ENTIRE DoD supply chain, most of which are small businesses. In order to play ball, you’ll need to keep your cost low and keep the process somewhat automated.
“There’s a War going on out There. And it’s not about Bullets and Bad Guys. It’s about Information and Who Controls the Data”