As of Nov 2021, CMMC 2.0 was introduced and the information below may not apply in its entirety.
Before we discuss who needs to comply with the Cybersecurity Maturity Model Certification (CMMC), let's take a quick overview. Designed by the Department of Defense (DoD), CMMC was launched to streamline the cyber hygiene of vendors that are submitting proposals for defense contracts.
Version 1.0 of the CMMC was originally released on January 31, 2020, with an updated Version 1.02 made available in March 2020. The goal of the CMMC is to address the protection of Controlled Unclassified Information (CUI) across the DoD supply chain, which currently contains more than 300,000 companies.
CUI is not classified information. As defined by the Defense Counter intelligence and Security Agency, CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies.
The DoD has decided to implement the CMMC to curtail the compromising of sensitive information stored on contractors’ information systems. Cyber threats are considered a top national security priority.
While contractors have always been responsible for implementing and monitoring the security of their data, the CMMC requires them to now be assessed by a third party to guarantee they are compliant with mandatory practices and have the ability to respond to a new and evolving threat landscape.
NIST 800-171 preceded CMMC
Prior to CMMC, the DoD relied on their vendors to perform self-assessments ensure they were compliant with NIST SP 800-171. Under the new guidelines, DoD vendors would need a third-party assessment completed by an approved assessor to achieve certification.
Who needs to comply
Prime contractors and subcontractors doing work for or on behalf of the Department of Defense will be required to have a CMMC certification. The level of certification required will be dependent on the companies' access to CUI.
If a contractor does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1. FCI means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public.
However, this is a small exemption. Organizations that produce only Commercial-Off-The-Shelf (COTS) products are not required to meet CMMC certification. While this exemption is narrow, it's best to not assume it pertains to your organization without having this verified as information is released and updated over the upcoming months.
Prime contractors are those who contract directly with DoD entities. These are typically larger organizations that will likely require certification at a higher level.
Sub-tier Suppliers are those who may be sub-contracted by larger prime contractors to handle projects that are still relevant to the overall supply chain. It is important to note that both groups of contractors will need to be compliant with the CMMC.
While larger prime contractors may obtain certifications at higher security levels, sub-tier suppliers need to ensure that they are also compliant with the security level that is appropriate with the service they are providing. Sub-tier contractors will be required to obtain their own level of certification in order to demonstrate compliance with security standards to the DoD and prime contractors.
A few things to keep in mind
It is important to note that the CMMC was designed with small and medium sized businesses in mind, hence the tiered level approach.
Sub-contractors that only require a lower-level clearance do not need to worry about investing in sophisticated cybersecurity programs, unless they are planning a change in the services they provide.
Additionally, the DoD will not require CMMC compliance for existing contracts. However, these contracts will likely have CMMC provisions included as they are re-solicited in the future.
An estimate provided by the DoD anticipates that all contracts will require CMMC Compliance by 2026.
A CMMC readiness assessment will help you identify your gaps
24By7Security is a Registered Provider Organization (RPO), certified by the CMMC Accreditation Body (CMMC-AB), fully qualified and trained to provide CMMC readiness services and help contractors in the Defense Industrial Base on their path to certification against the CMMC standard.
The 24By7Security team is experienced in preparing organizations for cybersecurity audits, regulatory compliance, and certification readiness. Certification readiness and preparation are the most arduous part of the certification process.