On January 30, 2020 the Department of Defense released the Cybersecurity Maturity Model Certification (CMMC). The Department of Defense (DOD) Office of the Undersecretary of Defense for Acquisition and Sustainment developed the CMMC in response to concerns that contractors were not adequately protecting sensitive federal information, known as Controlled Unclassified Information (CUI). Although DOD has been regulating cybersecurity through DFARS 252.204-7012 since 2013, the CMMC is intended to give contractors more specific guidelines.
CMMC Version 1 consists of 5 maturity levels, composed of 17 security domains (i.e. security controls). Each level requires a contractor to implement more security than the one before it. For example, Level 1, Basic Cyber Hygiene is equivalent to basic cybersecurity requirements found in FAR 52.204-21 and requires contractors to implement only 4 security controls. Level 3, Good Cyber Hygiene, equates to the current DFARS cybersecurity requirements, and Level 5, Advanced/Progressive, contains all 17 security controls.
Not only does CMMC give detailed guidance on securing information systems, it also recognizes that cybersecurity requirements must be tailored to the needs of the federal government, and the resources of a contractor. Beginning in June, RFPs will specify the CMMC level a contractor needs to meet to be awarded the contract. While most RFPs will require Level 3 certification, some will require Level 4 or 5 certification. By contrast, small business subcontractors will not have to meet the same requirements to perform under the contract. CMMC tailors the certification levels so that subcontractors may only be required to meet Level 1 or 2 certification, provided that they do not possess any CUI.
Going forward, CMMC will be DOD’s primary mechanism for regulating information systems security. It’s important for DOD contractors to become familiar with CMMC and begin implementing its cybersecurity best practices. However, contractors should be aware that CMMC does not negate their already existing cybersecurity regulations. For example, CMMC does not reference the 72-hour reporting requirement found in DFARS 252.204-7012. Further, it does not define CUI or Controlled Defense Information (CDI). Similarly, CMMC often references NIST SP 800-171’s requirements, the original guide in complying with DFARS 252.204-7012, but doesn’t explain them. CMMC closes the gaps in the existing regulatory framework, but does not replace it.