What is CMMC?
The present compliance standard for protecting and safeguarding CUI is National Institute of Standards and Technology (NIST) SP 800-171. It requires that Federal contractors and sub-contractors ‘self-certify’ that they are compliant in order to bid on federal/DoD contracts that contains.
Due to the lack of ‘third party’ verifications, the DoD came up with the Cybersecurity Maturity Model Certification (CMMC). The CMMC gives the department a mechanism to certify the cyber readiness of the largest defense contractors — those at the top who win contracts are called “primes” — as well as the smaller businesses that subcontract with the primes. CMMC mostly deals with Controlled
It’s all about protecting and safeguarding Controlled Unclassified Information (CUI).
CMMC
It’s all about protecting and safeguarding Controlled Unclassified Information (CUI). CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies.
CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract.
The present compliance standard for protecting and safeguarding CUI is National Institute of Standards and Technology (NIST) SP 800-171. It requires that Federal contractors and sub-contractors ‘self-certify’ that they are compliant in order to bid on federal/DoD contracts that contains.
Due to the lack of ‘third party’ verifications, the DoD came up with the Cybersecurity Maturity Model Certification (CMMC). The CMMC gives the department a mechanism to certify the cyber readiness of the largest defense contractors — those at the top who win contracts are called “primes” — as well as the smaller businesses that subcontract with the primes. CMMC mostly deals with Controlled Unclassified Information (CUI) which is not classified information.
The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.
Table 1: CMMC Maturity Levels
What does it mean for defense contractors?
Unlike NIST SP 800-171, the CMMC model possesses five levels. Each level consists of practices and processes as well as those specified in lower levels. A Third-Party Assessment Organization (3PAO) performs the assessment and recommends/do not recommend CMMC certifications.
No existing contracts with the department will have CMMC requirements inserted into them. The new CMMC provides for five levels of certification in both cybersecurity practices and processes.
Eventually CMMC will translate in to civilian and non-defense federal contractors. This will be the new Cybersecurity standard that Federal Agencies adopt in the near future.
How do companies prepare to bid for DoD and Federal Contracts that require CMMC?
The CMMC Accreditation Body (CMMC-AB) The CMMC Accreditation Body (AB), a non-profit, independent organization, will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. The CMMC AB will provide the requisite information and updates on its website
The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved C3PAOs as well as other information. After the CMMC Marketplace is established, DIB companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.
Organization that are interested in bidding for DoD and federal contracts should start preparing for CMMC now. The CMMC-AB will start listing Assessors and Practitioners in their marketplace. There are some clarifications provided in CMMC Model Appendices for each control.
What is CUI and FOUO, and how can my organization prepare for it?
CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
CUI, established by Executive Order 13556, is an umbrella term for all unclassified information that requires safeguarding. FOUO, which stands for ‘For Official Use Only’, is a document designation used by the DoD.
Those organizations that start preparing for CMMC levels now will get an advantage to bid for any contractors that require CMMC. Preparing for CMMC levels and getting ready for an Assessment takes some time. DoD is already including CMMC requirements in to their contracts now. CMMC Level 3 is the most common level and will qualify for most of the federal contracts for small and medium sized businesses.