The Department of Defense’s (DoD) latest authentication mechanism, the CMMC solution, is crafted to guarantee that cybersecurity regulations and procedures effectively protect Controlled Unclassified Information (CUI) that is stored on DIB systems and networks.
The DoD introduced standards for securing Covered Defense Information (CDI) and reporting cyber incidents in October 2016 with the publication of DFARS 252.204-7012. The DFARS required DoD Contractors to self-certify that suitable security measures were in place inside contractor systems to protect CDI confidentiality.
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Safeguarding Controlled Unclassified Data in Nonfederal Systems and Businesses, defines the security measures needed by the DFARS. The OUSD (A&S) initiated the CMMC development process in March 2019, issued the first draft of CMMC v1.0 in January 2020, and announced CMMC 2.0 in November 2021. They also intend to publish a handbook for the CMMC Certification Assessment Process (CAP) in June 2022, as well as the most current “interim norm” in May 2023.
CMMC in the Clear Words
After the final regulation is in place, CMMC 2.0 will be phased in for select DoD-identified contractors. When fully functional, CMMC 2.0 is mandatory for all organizations doing business with the Department of Defense at any level. Prime vendors and their suppliers will be expected to fulfill one of the 3 CMMC trust categories and show adequate cybersecurity implementation through independent validation efforts. The award or continuation of a DoD contract will be contingent on CMMC compliance.
Without having fulfilled the CMMC procedure, no vendor companies will be allowed to obtain or exchange DoD information relating to programs and projects. When a contractor’s contract comes up for extension, they must be CMMC competent.
The CMMC was included in Requests for Information (RFIs) in mid-2020 and Requests for Proposals (RFPs) in late 2020. To build a DoD standard for CUI cybersecurity, CMMC compliance requirements are mostly based on NIST SP 800-171.
The CMMC will have three cumulative Certification levels
• Level 1
Foundational: Provides fundamental cybersecurity for small businesses by implementing a subset of globally acknowledged standard practices. At this stage, the procedures would incorporate certain conducted procedures, at least on an ad hoc basis. This level incorporates the same 17 controls stated in the initial CMMC structure, but needs simply an annual self-assessment and validation by business leadership.
• Level 2
Advanced: Covers all NIST SP 800-171 Rev. 2 controls. Processes are established and executed at this level, and there is a thorough understanding of cyber assets. The Department of Defense has reduced the initial 130 controls in the CMMC Level 3 standard to the 110 controls described in NIST 800-171. The Department of Defense is exploring a split procedure that would select “prioritized purchases” that would be subjected to an independent review against the new Level 2 Advance standards on a triannual basis rather than a year self-assessment with certification.
• Level 3
Expert: Contains sophisticated cybersecurity procedures. At this level, procedures include enterprise-wide continuous innovation and defensive reactions executed at machine velocity. This level will take the place of what were formerly known as CMMC Levels 4 and 5. The specifics of this level are currently being worked out. This level is planned to include a subset of measures from NIST SP 800-172 in which an enterprise already has a Level 2 CMMC Accreditation, and the Level 3 measures will be examined by DoD rather than a C3PAO.