To protect controlled unclassified information (CUI) that the US Department of Defense (DoD) handles, the department initially required its contractors to comply with the cybersecurity requirements of Defense Federal Acquisition Regulation Supplement (DFARS). However, starting this year , the DoD is shifting to the new Cybersecurity Maturity Model Certification (CMMC) framework.
To help you and other DoD contractors keep up with this transition, we’ve compiled some of the frequently asked questions (FAQs) about the CMMC.
What Is Controlled Unclassified Information (CUI)?
The US National Archives defines CUI as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.”
Further reading: What is CUI? Answers to the Most Frequently Asked Questions
Why Do DoD Contractors Need to Be Concerned About Cybersecurity?
If a DoD contractor falls victim to a cybersecurity incident, it can lead to the loss or exposure of CUI. This threatens national economy and security. To reduce this risk, DoD vendors must enhance its protection of CUI in its networks.
What Is the CMMC Required by the DoD?
CMMC is a cybersecurity framework consisting of multiple maturity levels, ranging from Levels 1 to 5, with 5 as the highest level. It uses different, existing technical frameworks for each of its levels, namely:
- Federal Acquisition Regulation (FAR) 48 CFR 52.204-21
- National Institute of Standards and Technology (NIST) Special Publication 800-171 r1
- Draft NIST SP 800-171B
When Was the CMMC Released?
The CMMC model version 1.0 was released to the public on January 31, 2020. The timeline of the CMMC implementation is shown in the diagram below:
Why Is There a Need to Create the CMMC?
CMMC will be used as a verification mechanism to determine which contractors can bid on certain DoD projects. It ensures that eligible contractors have the appropriate levels of cybersecurity practices and processes that a particular DoD project requires.
The DoD will specify the required CMMC level in requests for information (RFIs) and requests for proposals (RFPs).
Why Is the DoD Switching from DFARS Compliance to CMMC?
While DFARS and CMMC share the same goal of securing CUI, the DoD struggled with a low rate of DFARS compliance. To address this issue, the department introduced CMMC and its five levels as a way to categorize its vendors. Those in Levels 1 and 2 need not meet all the requirements of DFARS since their DoD contracts won’t involve CUI. This is advantageous for companies with limited resources and so have difficulty meeting DFARS compliance.
However, vendors that are already DFARS-compliant can easily obtain CMMC Level 3 by adopting several more cyber hygiene practices when they undergo certification. Those that achieve CMMC Levels 4 and 5 can better protect CUI since they can also reduce the risk of advanced persistent threats (APTs).
What Is the Difference Between DFARS and CMMC?
To be DFARS-compliant, you must adequately address all 14 security requirement families outlined in the NIST SP 800-171. However, you only need to meet this same requirement for CMMC Levels 3 and above. CMMC Level 1 only requires full compliance with FAR 48 CFR 52.204-21, while CMMC Levels 4 and 5 also adopt some of the cybersecurity practices found in Draft NIST SP 800-171B. You can refer to the first diagram above for the different technical frameworks used by each CMMC level.
What’s more, DFARS allows self-certification, while CMMC requires third-party certification. Only accredited CMMC third-party assessment organizations (C3PAOs) and individual assessors can conduct CMMC assessments.
Note: Only the CMMC Accreditation Body (CMMC AB) is authorized to provide a CMMC certification training and the accreditation, and they only opened the accreditation process to applicants on June 22.
How Do You Get CMMC Certification?
Once the CMMC AB publishes its list of approved assessors on their CMMC Marketplace, DoD contractors will be able to pick an accredited CMMC auditor and schedule a CMMC assessment for a specific level.
What Are the CMMC Requirements?
The requirements differ per CMMC level. Below is a quick summary of the total number of practices and technical frameworks adopted by each CMMC level:
How Long Is the Validity of CMMC Certification?
A CMMC certificate will be valid for three years.
Will You lose Your CMMC certification If Your Company Suffers a Cyberattack?
A DoD contractor will not automatically lose its CMMC certification should they experience a cybersecurity incident. However, depending on the circumstances of the incident, the DoD program manager may require the contractor to undergo a reassessment.