CMMC Frequently Asked Questions (FAQ)

What, exactly is CMMC?

Per the Office of the Under Secretary of Defense for Acquisitions & Sustainment, the Cybersecurity Maturity Model Certification (CMMC) is the unified Cybersecurity Standard for Department of Defense (DoD) Acquisitions to reduce the exfiltration of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB).  CMMC combines various Cybersecurity standards and maps these best practices and processes to maturity levels, ranging from basic cyber hygiene to highly advanced practices. 

The CMMC effort builds upon existing regulation, specifically, 48 Code of Federal Regulations (CFR) 52.204-21 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.201-7012 and incorporates practices from multiple sources such as NIST SP 800-171 Rev 2. and NIST SP 800-172. CMMC also adds a certification element to verify the implementation of cybersecurity requirements.  CMMC is designed to provide the DoD assurance that a Defense Industrial Base (DIB) contractor can adequately protect CUI at a level commensurate with the risk, accounting for flow down to subcontractors in a multi-tier supply chain. The current guidance can be downloaded from: HERE

What are the Levels 1 through 3?

Level 1 (Foundational) focuses on basic cyber hygiene and consists of the safeguarding requirements specified in 48 CFT 52.204-21.  The Level 1 practices establish a foundation for the higher levels of the model and must be completed by all certificated organizations.  There are 17 practices that are expected to be performed to include an annual self-assessment.

Level 2 (Advanced) will have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171. Organizations that require access to CUI and/or generate CUI should achieve CMMC Level 2. CMMC Level 2 indicates an advanced ability to protect and sustain an organization’s assets and CUI; however, at CMMC Level 2, organizations will have challenges defending against advanced persistent threats (APTs). There are 110 practices that align with NIST SP 800-171 that are expected to be performed to include Triennial third-party assessments for critical national security information and annual self-assessment for select programs.

Level 3 (Expert) At CMMC Level 3, an organization has a substantial and proactive cybersecurity program. CMMC Level 3 indicates an expert level of maturity, and the organization has the capability to adapt their protection and sustainment activities to address the changing tactics, techniques, and procedures (TTPs) in use by APTs.  There are 110+ practices based on the NIST SP 800-171 and NIST SP 800-172 that are expected to be performed to include Triennial government-led assessments.

What does all this mean to me?

 If your company wants to continue to bid/work on DoD contracts, you will need to be certified at the CMMC level specified within each contract opportunity.