What You Need to Know About: Cybersecurity Maturity Model Certification (CMMC)

The Department of Defense must share classified and unclassified information with vendors during any contract. To ensure that vendors manage Controlled Unclassified Information (CUI) properly it designed the Cybersecurity Maturity Model Certification (CMMC); a security framework that organizations must follow to bid on and win DoD contracts.

The Cybersecurity and Infrastructure Security Agency (CISA) defines the Defense Industrial Base as “the worldwide industrial complex that enables research and development of military weapons systems, subsystems, and components or parts.” It includes over 100,000 organizations – plus their subcontractors – who provide products and services to the US Department of Defense (DoD).

To fulfill contracts, it is necessary for the DoD to share sensitive information with its contractors, including classified and Controlled Unclassified Information (CUI). CUI is information that is not classified, but still requires protection from unauthorized access and release. CUI is much more common than most organizations realize. Even if a company is a 3rd party supplier to a government contractor, flow-down terms and specifications can be considered CUI. This can include:

• Personally Identifiable Information (PII): Any data that can be linked to a specific individual, including a full name, username and passwords, physical address, email address, and passport, driver’s license, or social security number.
• Sensitive Personally Identifiable Information (SPII): SPII is a subset of PII that, if compromised, could lead to significant harm or risks for the individual to whom it pertains. This includes social security numbers, financial account numbers, biometric data, and health records.
• Proprietary Business Information (PBI): Confidential or sensitive data, knowledge, or assets that are owned and used by a company for its competitive advantage. PBI includes trade secrets, customer lists, research data, financial data, source code, and other intellectual property.
• Unclassified Controlled Technical Information (UCTI): Sensitive technical information that is not classified but is still subject to controls and protections “on the access use reproduction modification performance display release disclosure or dissemination.” Sensitive but Unclassified (SBU): Information that is not classified but warrants protection from unauthorized disclosure for other reasons. This could include personal information on individuals, law enforcement information, and intra- or inter-agency communications.

Cybersecurity Maturity Model Certification (CMMC)

The CMMC was introduced in January 2020 to allow the DoD to measure the maturity of an organization’s cybersecurity practices. It is modeled on several existing cybersecurity standards used by the federal government, primarily NIST 800-171.

After receiving agency and contractor feedback about the original standards, the DoD announced CMMC 2.0 in a November 2021 update to streamline requirements. CMMC 2.0 reduced CMMC 1.0’s five tiers of maturity to three: Foundational, Advanced, and Expert. The level of compliance required by an organization varies with the form and caliber of CUI that they work with. A comparison of requirements for CMMC and CMMC 2.0 appears below.

CMMC 2.0 requires three different levels of controls and assessments, tailored to the sensitivity of the information being handled:

CMMC Level 1: Foundational: Level 1 pertains to safeguarding Federal Contract Information (FCI); information requiring protection but is not classified as critical to national security. It is expected to apply to most federal contracts and excludes Commercial Off the Shelf (COTS) software. Level 1 encompasses 15 security practices sourced from FAR Clause 52.204-21: Basic Safeguarding of Covered Contractor Information Systems. Level 1 certification requires annual self-assessments and attestations.

CMMC Level 2: Advanced: If your organization handles CUI, it will likely need Level 2 certification. This requires compliance with the practices detailed in NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Organizations needing Level 2 certification must undergo annual self-assessments for non-prioritized acquisitions and triennial third-party assessments for prioritized acquisitions.

CMMC Level 3: Expert: Level 3 certification is required for the highest priority CUI. In addition to the controls detailed for Level 2 certification, Level 3 requires organizations to implement a subset of security practices from NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information. Organizations must also undergo triennial DoD assessments.

When Is CMMC Compliance Mandatory?

The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts. CMMC requirements began in 2020/2021. In 2025, it is expected that CMMC compliance will be required for all contracts other than off-the-shelf software.

How Defendify Can Help Comply with CMMC

All organizations working with the DoD directly or as a subcontractor will need to meet Level 1 compliance. This requires a combination of basic cybersecurity hygiene and high-level risk assessments. The safeguarding requirements in Far Clause 52.204-21 includes an obligation to “perform periodic scans of the information system.” Defendify’s Vulnerability Scanner automates the process of identifying vulnerabilities in your organization’s network and systems.

Understanding the threats to FCI and CUI requires an assessment of your existing security posture. Defendify’s Cybersecurity Risk Assessment Tool maps your controls to NIST SP 800-171 and several other security standards used by federal agencies. To understand how a sophisticated attacker might reach and steal government data, Defendify provides penetration testing on external, internal, web and mobile applications. The result includes intuitive reports with complete test results including attack methods, exploits, prioritized vulnerabilities, and recommendations.

Ready to see Defendify in action? Schedule time to connect with a Defendify Cybersecurity Advisor.