What is the Cybersecurity Maturity Model Certification (CMMC)?

CMMC stands for “Cybersecurity Maturity Model Certification”. It is a certification all companies working with the U.S. Department of Defense must earn with the exception of companies selling commercial off the shelf (COTS) items. To earn a CMMC certification you will need to undergo an assessment by a third party auditor.

There are five levels of certification. Level one is the easiest to earn (17 security practices), and five the most difficult (171 security practices). Contracts will specify the required CMMC level.

CMMC comes with a new security control framework. It includes 171 security practices. Many security practices are drawn from FAR 52.204-21, NIST SP 800-171, and NIST SP 800-171B. CMMC also draws requirements from other international security frameworks.

Every company providing services to the U.S. Department of Defense will need to earn a CMMC certification. This equates to over 300,000 companies worldwide.

If you do not have any U.S. Department of Defense contracts but are planning to compete for them you will need to earn a CMMC certification. The vast majority of CMMC contracts will have a level 1 requirement (17 security practices). Always check your contract to ensure that it has the CMMC requirement.

CMMC draws many security practice requirements from NIST SP 800-171. CMMC levels 1-3 take almost all of the requirements from 800-171. If your company has already been implementing NIST SP 800-171 controls then you are in a good position for CMMC.

Defense contractors should expect to see new Cybersecurity Maturity Model Certification version 1.0 requirements in requests for information in June and in requests for proposals in November.

In 2021 about 1,600 companies will have a CMMC requirement. The U.S. Department of Defense plans to have all 300,000 companies CMMC certified within the next five years.

The Department of Defense (DoD) set up an independent third party accreditation board. The CMMC Accreditation Body is responsible for organizing the training of 10,000 assessors needed to certify the 300,000 companies working with the DoD. The board will designate certified third party assessment organizations (CSPAOs). Company's will be paying these C3PAOs to assess their cybersecurity controls. The assessment results will be used to assign a cybersecurity maturity level. Based on the assigned level companies will receive a CMMC between level one and five.

As of June 4, 2020 there are no certified CMMC assessors or certified third party assessment organizations. Towards the end of 2020 and the beginning of 2021 assessors will start to become available as they complete their own training and certification process. Assessors will primarily be from the private sector however the U.S. Department of Defense will also have some of its own assessors.

No official pricing has been released yet. The U.S. Department of Defense said that it will cover the cost of undergoing the assessment to earn the CMMC certification. The real cost for CMMC is preparing your organization to earn it.

If you currently have a contract requiring the implementation of NIST SP 800-171 controls then continue implementing them. Finish the action items on your plan of action and milestones (POA&M).

Do you have a U.S. Department of Defense contract but don't have DFARS clause 252.205-7012 in it? Then beginning to implement level 1 CMMC controls is a good idea.