The Cybersecurity Maturity Model Certification (CMMC) is the new cybersecurity standard put in place by the United States Department of Defense (DoD) to regulate the Defense Industrial Base (DIB). To be eligible for DoD contracts, a prime contractor and its subcontractors must demonstrate the required level of compliance for that particular contract.

Drivers Behind the CMMC

Mandating that the DIB maintain a certain level of cybersecurity is nothing new for the DoD. DFARS Clause 252.204-7012 mandated that defense contractors with access to sensitive but unclassified information be compliant with NIST SP 800-171, which mandated that certain cybersecurity controls be put in place.

The problem with this rule is that no mechanism for enforcement existed. Defense contractors were able to self-certify compliance with the regulation. However, a study of defense contractors found that the average organization only implemented 39% of the required security controls. Of the 50 contractors examined, none were fully compliant with the regulation despite there being strong incentives.

Without the proper security controls in place, defense contractors were vulnerable to advanced cyber threat actors seeking government secrets. The CMMC is designed to address this problem by requiring defense contractors to pass a third-party compliance assessment prior to bidding on defense contracts.

Achieving CMMC Compliance

The CMMC is structured to have five different certification levels. All contractors within the DoD’s supply chain are required to achieve and maintain Level 1 compliance to participate in defense contracts. Depending upon the details of a specific contract, higher levels of compliance may be required.

The requirements for each level of CMMC compliance are largely based upon published and drafted federal cybersecurity publications. However, each level 2 and above includes some additional compliance requirements as shown in the table below.

Level

Added Processes

Required Practices

Additional Compliance Requirements

1

Select processes documented where required 17 Full compliance with Federal Acquisition Regulation (FAR) 48 CFR 52.204-21

2

Each practice is documented, including Level 1 practices

A policy exists that includes all activities

72

A select subset of 48 practices from the NIST SP 800-171 r1

An additional 7 practices to support intermediate cyber hygiene

3

A plan exists, is maintained, and resourced that includes all activities

130

Full NIST SP 800-171 r1 compliance

An additional 20 practices to support good cyber hygiene

4

Activities are reviewed and measured for effectiveness (results of the review is shared with higher level management)

156

A select subset of 11 practices from Draft NIST SP 800-171B

An additional 15 practices to demonstrate a proactive cybersecurity program

5 There is a standardized, documented approach across all applicable organizational units 171

A select subset of 4 practices from Draft NIST SP 800-171B

An additional 11 practices to demonstrate an advanced cybersecurity program

To achieve compliance with the CMMC, an organization must undergo a third-party assessment by a certified CMMC Assessor. At this time, however, CMMC Assessor training has yet to exist, and no organizations have been certified to perform CMMC assessments.

How MorganFranklin Can Help

While the processes for undergoing a CMMC assessment are not yet finalized, getting a head start can help an organization rapidly gain certification and eligibility for defense contracts once the processes are in place.

While MorganFranklin is not a certified CMMC assessor, its advisors have extensive experience in federal regulations such as NIST 800-171, and the implementation of required security controls within an organization’s environment. Performing a compliance self-assessment, identifying compliance gaps, and making a plan for remediation are important first steps in the process of achieving CMMC compliance.