CMMC – it’s a term you may have seen out there, especially if you follow IT or defense industry sources. It’s been generating significant attention for several years as the Department of Defense (DoD) has worked to transition CMMC from a proposal to an operational program. Let’s cut through the buzz and dive into what CMMC really is.
CMMC first is an abbreviation, standing for the Cybersecurity Maturity Model Certification. That should give us some hints, of course. Cybersecurity refers to protecting electronic information – check! Maturity indicates there are levels or tiers – check! Model means it’s a system for how things work – check! And Certification implies there’s a testing or assessment process – a final check! While these hints help, they don’t fully explain what CMMC is. So, let’s break it down in simple terms.
CMMC is a new program designed for vendors, contractors, and suppliers who work within the Defense Industry and handle sensitive information related to government contracts in the US. What vendors you ask? The easy answer is most, if not all. The slightly more accurate version, although a little more nuanced, is all vendors who work on contracts for the DoD and receive non-public sensitive information on government contracts – Federal Contract Information (FCI) – and/or non-public sensitive information on Defense systems – Controlled Unclassified Information (CUI). While CMMC is officially rolling out this year it’s been something the DoD has been working on for a long time, stretching all the way back to at least 2016 with the requirements of the Defense Federal Acquisition Regulation System (DFARS). Even before that, the DoD realized it needed to require its contractors to strengthen their cybersecurity to protect the technical and contract information about its defense systems even while they were in the manufacturing stage. Because the U.S. Defense Industrial Base (DIB) includes both large prime contractors and smaller subcontractors, these cybersecurity requirements must apply across the board to safeguard sensitive data at all levels. Easy, right?
CMMC is now a requirement for contractors. However, not everyone will be subject to it at once as it’s being implemented in a phased approach to give businesses time to get their ducks in a row. And by ducks in a row, what it really means is to apply the security control requirements from NIST Special Publication 800-171. These 110 security controls, ranging from administrative controls like policy and procedures, through technical configuration controls like firewalls and encryption, all the way to Physical security controls like a secure facility and designated processing systems. Every organization that handles sensitive FCI or CUI will need to follow the program, and this consists of implementing the controls, and depending on the contract, either self-certifying to the government that the controls are adequately working, or for more sensitive contracts, passing a third-party security assessment and being certified as being compliant.
At this point, you’ve probably realized a few things. First, CMMC is required, a little complicated, and important. Second, it’s full of acronyms and abbreviations which we’ll break down in future blogs. Third, because it’s a whole cybersecurity program that needs to be implemented, it’s big, expansive, and detailed—all the more reason for us to spend time in more blogs breaking the parts down and explaining them. So that’s charting our path. We’re going to start breaking CMMC down into smaller bite-sized chunks so we can examine it and explain what it all means, one bit at a time.
