What is the CMMC?

Earlier this year, the DoD announced a new standard for cybersecurity certification of its contractors and sub-contractors. The standard is known as Cybersecurity Maturity Model Certification and includes a five-tier approach to determining the adequacy and effectiveness of contractors’ controls and processes for protecting the department’s controlled unclassified information (CUI).

Who Needs to be Compliant?

Simply put, all organizations who currently do or plan to do business with DoD, including all levels of subcontractors, will be required to obtain CMMC certifications.

What Standards are Included?

From DoD’s preliminary release of the criteria, it appears several standards are included in the CMMC framework. However, the foundation of the CMMC is NIST Special Publication (SP) 800-171. The criteria details “key sets of capabilities for cybersecurity”, in the form of domains, that determine an organization’s compliance level within the CMMC. The CMMC contains five compliance levels and 18 different domains, 14 of which come from the NIST SP 800-171 security requirements family. The 18 domains are:

  • Access Control
  • Asset Management*
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Cybersecurity Governance*
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Recovery*
  • Risk Assessment
  • Security Assessment
  • Situational Awareness*
  • System and Communications Protection
  • System and Information Integrity

*Denotes domain is not a part of the NIST SP 800-171 security requirements family

Other standards used in the CMMC include NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others.

Can my Organization Self-Certify?

Contractors will not be able to self-certify as compliant with the CMMC and will be required to use designated third-party auditors to complete the certification. At this time, the cost of gaining CMMC certification is unknown. However, the DoD will consider CMMC certification as an allowable, reimbursable expense.

When are the Implementation Deadlines?

The DoD plans to release V1.0 of the CMMC in January of 2020 and expects to begin verifying contractors shortly after its release. Beginning in September 2020, the DoD plans to include the CMMC as a requirement in its Request for Proposals (RFPs).

What can my Organization do now to Prepare for CMMC Certification?

If you know that your organization will need to obtain CMMC certification, we recommend reviewing the current version (latest version is v0.4 as of this blog’s publication date) of the CMMC criteria and finding a security partner to help you assess your current compliance level. We also strongly recommend engaging with a third-party to ensure you are compliant with NIST SP 800-171. Achieving NIST SP 800-171 compliance early on will put your organization in a strong place come release of v1.0 in January 2020. Want to take it a step further? Your organization can also achieve compliance in the other standards utilized in the CMMC criteria including NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933.

Want to achieve NIST SP 800-171 compliance? Contact a HORNE Cyber expert today.


Subscribe to Blog