United States
GLOBAL CERTIFICATION BODY
Home / Resources / Blog
- GUIDE TO THE CMMC STANDARD AND CERTIFICATION
- 13 July 2020
- The Cybersecurity Maturity Model Certification (CMMC) lays a framework to implement cybersecurity policies and practices for organizations throughout the Defense Industrial Base (DIB).
- The Cybersecurity Maturity Model Certification (CMMC) lays a framework to implement cybersecurity policies and practices for organizations throughout the Defense Industrial Base (DIB).
- The Department of Defense is implementing rolling deadlines for CMMC certification that began with a self-audit for existing contractors in November 2020 and took effect in January 2021. By the fiscal year 2026, all new defense contracts will contain CMMC certification requirements. By then, nearly every vendor in the national defense supply chain will need to become CMMC certified. For many contractors, especially small businesses, becoming CMMC-compliant could mean a complete overhaul of their cybersecurity programs.
- The new cybersecurity standards are slated to transform the industry. Yet, 58% of contractors aren't familiar with the initiative. So, NQA created this guide to CMMC, with all the requirements explained straightforwardly, to help your organization get up to speed and prepare for this change.
- Overview Of CMMC
- In 2015, the DOD published the Defense Federal Acquisition Regulation Supplement (DFARS). Its goal was to ensure private contractors maintained cybersecurity standards. These contractors had until Dec. 31, 2017, to comply, but the self-verification method DFARS employed was insufficient when it came to protecting these networks.
- In 2016, the U.S. economy lost between $57 billion and $109 billion due to malicious cyberactivity. There have even been cases where American adversaries may have developed military technology based on stolen data. Chinese intelligence may have obtained F-35 stealth fighter jet designs from a 2009 breach that enabled them to design and build J-20 and J-31 jets.
- The main goal of the CMMC is to protect two forms of unclassified information:
- •Federal contract information (FCI): Information generated by the government, necessary for the development of a product or service but not intended for public release
- •Controlled unclassified information (CUI): Any information that requires safeguarding but isn¡¯t considered classified under executive order 13526 or the Atomic Energy Act
- The loss of CUI from the Defense Industrial Base poses a risk to national security. So, as cybercrimes continue to evolve, the U.S. Department of Defense (DOD) has developed new measures to increase security across the defense supply chain ¡ª the CMMC standards.
- CMMC means "Cybersecurity Maturity Model Certification." It's a new set of standards from the DOD to enhance the cybersecurity capabilities of defense contractors in the DIB. Threat attempts on DOD systems are at an all-time high, with cybersecurity officials dealing with hundreds of thousands of probes every day. The CMMC standards will become part of DFARS and will be a requirement for contract awards. The basic purpose of requiring CMMC certification is to protect CUI and ensure all defense contractors have basic cyber hygiene measures in place.
- The DOD released version 1.0 of the CMMC standards on January 31, 2020. While there's no certification process in place yet, organizations can now begin to review their cybersecurity processes and improve their capabilities to align them with these standards. If you are a prime contractor, you can also begin preparing your supply chain to develop programs to meet the standards.
- The DOD released version 1.0 of the CMMC standards on January 31, 2020. While there's no certification process in place yet, organizations can now begin to review their cybersecurity processes and improve their capabilities to align them with these standards. If you are a prime contractor, you can also begin preparing your supply chain to develop programs to meet the standards.
- While the CMMC standards offer many improvements, defense contractors have always been responsible for implementing cybersecurity measures. The 110 security requirements included in the National Institute of Standards and Technology (NIST) SP 800-171 Rev 1 are also part of the CMMC Levels 1-3 certification requirements. The new standards also incorporate practices and procedures from other sources, including:
- •CERT Resilience Management Model (CERT RMM) v1.2
- •CIS Controls v7.1
- •Draft NIST SP 800-171B
- •FAR Clause 52.204-21
- •NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1
- •NIST SP 800-53 Rev 4
- The CMMC certification standards unify these standards into one universal framework for defense contracts.
- The new standards introduce the need for third-party assessments to certify CMMC compliance with mandatory procedures, capabilities and practices. The standards also introduce a five-level certification model. Each level increases the number of cybersecurity practices and policies an organization must use. The DOD Requests For Information (RFIs) and Requests For Proposals (RFPs) will specify the required level of certification. Contractors also need to renew their CMMC certifications every three years to ensure continued compliance. Refusing to meet these standards will automatically disqualify companies from applying for any new DOD contracts in the future.
- By unifying and improving upon the standards already in place, the CMMC will make contractors and subcontractors more agile and able to prevent and respond to evolving cybersecurity threats.
- Industries CMMC Certification Applies To
- Who should be certified to CMMC? The short answer is anyone in the defense contract supply chain. The DOD estimates the roll-out of CMMC standards will affect 300,000 companies. Most contracts will require a certification between Level 1 and Level 3 to qualify for government contracts.
- The CMMC standards will apply to DOD contractors that deal with CUI. The categories of information the Executive branch protects includes:
- •Critical Infrastructure
- •Defense
- •Export Control
- •Financial
- •Immigration
- •Intelligence
- •International Agreements
- •Law Enforcement
- •Legal
- •Natural and Cultural Resources
- •NATO
- •Nuclear
- •Privacy
- •Procurement and Acquisition
- •Proprietary Business Information
- •Provisional
- •Statistical
- •Tax
- Even if a DIB company doesn't have or make CUI, if it has Federal Contract Information (FCI), it must meet FAR Clause 52.204-21 and be certified at a minimum of CMMC Level 1.
- The certification requirements apply to suppliers at all tiers along the supply chain. So, a subcontractor for a DOD contract will also need a CMMC certification. Subcontractors won't necessarily need certifications at the same level as the prime contract. Instead, the level will depend on the type and nature of information flowed down from the prime contract. The only exception to CMMC certification requirements within the DIB sector is for companies that solely produce Commercial-Off-The-Shelf (COTS) products.
- Those in the DIB, such as aerospace manufacturing, will need CMMC certification. Any subcontractor at any tier in the supply chain will need at least a Level 1 Certification to be included in DOD subcontracts. So, any software or service providers, such as logistics, IT or communications companies that contribute to the DOD supply chain, are likely to be subject to the new CMMC standards.
- Only about 1% of DIB companies have implemented all 110 NIST practices. Since many of the NIST requirements lay the framework for the CMMC requirements, it presents a major gap in preparedness for many contractors who will need to meet CMMC requirements.
- Get industry insights delivered straight to your mailbox
- Sign up to InTouch here
- Give us a call
- Connect with us
We use cookies on our website to ensure you get the best experience. Learn more
Accept