DoD stands for the Department of Defense. It is a federal executive department of the United States responsible for coordinating and supervising all agencies and functions related to national security and the armed forces. “Implementing Foundational Cybersecurity for DoD Contractors Using CMMC Levels 1 & 2 and NIST SP 800-171,” DoD refers to the department overseeing cybersecurity requirements for its contractors.
What:
A consistent pre-award assessment methodology to determine whether a prospective contractor has implemented cybersecurity protections necessary to adequately safeguard DoD information.
Why:
To increase the cybersecurity posture of the DIB and better protect sensitive unclassified information.
How:
All defense contractors and subcontractors will show compliance with applicable security requirements through self-assessment or independent assessment, prior to contract award (excluding Commercial-Off-The-Shelf procurements).
CMMC APPLICABILITY
CMC Program requirements will apply to all DoD solicitations and contracts for which a defense contractor or subcontractor will process, store, or transmit FCI or CUI on its unclassified contractor information systems.
New DoD solicitations
New DoD procurement instruments including contracts, task orders, delivery orders
As a condition to exercise an option period
Subcontractors are subject to flow-down requirements
Information that is not marked as public or for public release and is not designated as CUI
Defined in FAR 52.204-21
Minimum safeguarding requirement: 48 CFR 52.204-21
EXISTING DOD CYBERSECURITY REQUIREMENTS
DFARS clause 252.204-7012 – Effective Oct 2016 (to be implemented by Dec 2017)
Safeguard DoD CUI that resides on or is transiting through a contractor/subcontractor internal information system or network by implementing NIST SP 800-171 at a minimum
Report cyber incidents that affect contractor/subcontractor ability to perform requirements designated as operationally critical
DFARS Provision 252.204-7019 – Effective Nov 2020
Implement DFARS clause 252.204-7012 and have at least a Basic NIST SP 800-171 DoD Assessment that is current (i.e., not more than three (3) years old unless a lesser time is specified in the solicitation) posted in SPRS
DFARS clause 252.204-7020 – Effective Nov 2020
Provide Government access when necessary to conduct or renew a higher-level Assessment
Include requirements of the clause in all applicable subcontracts and ensure applicable subcontractors can conduct and submit an Assessment
CMMC assesses whether a prospective DoD contractor has implemented these standards
When specified in a solicitation, all CMMC requirements must be met prior to award
Revised CMMC Framework requirements
CMMC Model (Level 3)
Model: 134
Requirements:
– 110 requirements from NIST SP 800-171 r2
– 24 requirements from NIST SP 800-172
Assessment:
– DIBCAC assessment every 3 years
– Annual Affirmation
LEVEL 2
Requirements:
– 110 requirements aligned with NIST SP 800-171 r2
– CP assessment every 3 years, or “Self-assessment every 3 years for select programs.”
– Annual Affirmation
LEVEL 1
Requirements:
– 15 requirements aligned with FAR 52.204-21
– Annual self-assessment
– Annual Affirmation
CMMC ALIGNMENT TO NIST
SP 800-171 REVISIONS
DoD followed federal rulemaking guidelines when aligning CMMC assessment requirements to NIST SP 800-171 Rev 2.
Defense contractors can implement NIST SP 800-171 Rev 3, but must comply with Rev 2 requirements not covered in Rev 3 to meet CMMC assessment requirements.
DoD will incorporate Rev 3 with future rulemaking
CONDITIONAL AND FINAL STATUS
An OSA may achieve a Conditional CMMC Status if the initial assessment (with passing score) resulted in allowable POA&M items.
An OSC achieves a Final CMMC Status when assessment results in a passing score with no POA&M, or when the POA&M has been closed out within 180 days of achieving a Conditional CMMC Status.
CMMC Post-Assessment Remediation
CMMC Program will allow limited use of POA&Ms
POA&Ms are not allowed for CMMC Level 1.
Refer to§ 170.21 of the 32 CFR CMMC Program final rule for CMMC Level 2 and Level 3
POA&Ms requirements, including critical requirements not allowed in a POA&M.
Closeout Assessment
POA&M closeout Self-Assessment is conducted by the OSA.
POA&M closeout Certification Assessment is conducted by a C3PAO or the DIBCAC.
POA&s must be closed out within 180 days of when the CMMC Assessment results are finalized and submitted to SPRS or CMMC eMASS, as appropriate.
Failure to close POA&M within 180 days will result in an expired CMMC Status
CMMC SCORING
Level 2: Security requirements are valued 1, 3, or 5 points with a range of -203 to 110, with a minimum passing score of 88. Partial credit is allowed for 2 requirements:
MFA: 5 points deducted from overall score of 110 if MFA is not implemented or implemented only for general users and not remote and privileged users;
MFA: 3 points deducted if MA is implemented for remote and privileged users but not implemented for general users;
FIPS: 5 points deducted from overall score of 110 if no cryptography is employed;
FIPS: 3 points deducted if cryptography is employed, but not FIPS validated.
Level 3: All Level 3 security requirements are valued 1 point with a maximum score of 24.
Requires a prerequisite Level 2 score of 110.
• Results for all Levels are posted in SPRS and reviewed by contracting officers and requining activities.
STANDARDS ACCEPTANCE
Contractors and subcontractors that completed a DCMA DIBCAC High Assessment aligned with CMMC Level 2 Scoping are eligible for CMMC
Level 2 Final Certification Assessment under the following conditions:
Achieved a perfect score with no open POA&M from a DCMA DIBCAC High
Assessment conducted prior to the effective date of the CMMC rule o CMC Level 2 will be valid for 3 years from the date of the original High Assessment. o Eligible High Assessments include those conducted under DCMA’s Joint Surveillance authority.
Scope of the CMMC Level 2 Final Certification Assessment is identical to the scope of the High Assessment
Cybersecurity Maturity Model Certification What is it?
Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Goverment-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
DoD is requiring Cybersecurity Maturity Model Certification to reffect adequate protection of CUI.
The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”.
. The intent is to incorporate CMMC into Defense Federal
Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.
What does this mean for responding to a DOD Request for Proposal (RFP) or Information (RFI)?
Adequate Cybersecurity measures in place at the Level imposed by DoD in the Request for Proposal (RFP) or Request for Information (RFI)
Implementation of these measures must be certified by an accredited third-party (c3pao) in order for “organization seeking certification” to accept contract terms.
How Do I Achieve this?
If you have or plan to respond to a DoD RRFI or RFP:
Understand: You will need help from your unit’s IT manager along with the help of C3PAO for CMMC L2 and DIBCAC For CMMC level 3 .
Cost: Include costs to implement CMMC as a direct cost in your proposal budget along with substantiation of costs.
Implement: You will need to have requirements in place AND third-party certification for “organization seeking certification” to accept terms of a resulting contract.
Aspect:
– Number of Levels: Five (Levels 1-5)
– Level 2 Content: Includes process institutionalisation and requires a custom set of 72 practices.
– Maturity Processes (MLs): MLs are required for Levels 2-5.
– Self-Assessment Allowed: Self-assessment is allowed for Levels 1-5.
– Level 3 Definition: Level 3 defines the implementation of the practices.
– Flowdown Requirements: Practices from Level 2 are required for Levels 3 and above.
– CMM 1.0: CMM 1.0 requires a custom set of 72 practices for Levels 2-5.
– Five (Levels 1-5) Custom Set of 72 Practices: Required for Levels 2-5 (e.g., process institutionalisation).
– Required for Levels 2-5 (e.g., process institutionalisation): Practices from Level 2 are required for Levels 3 and above.
– Not permitted: All levels require third-party certification.
– Undefined with evolving practices: The requirements are undefined with evolving practices.
– Ambiguous in early documentation: The requirements are ambiguous in early documentation.
– Implementation Timeline: A gradual rollout (2020-2025) is planned.
– Public Comments/Rulemaking: No formal rulemaking is planned.
– CMMC 2.0: CMMC 2.0 requires a custom set of 72 practices for Levels 1, 2, and 3.
– Full 110 practices from NIST SP: The requirements include a full set of 110 practices from NIST SP (800-171).
– Removed entirely from all levels: The requirements are removed entirely from all levels.
– Allowed for Level 1 and non-prioritized Level 2: The requirements are allowed for Level 1 and non-prioritized Level 2.
– High-level alignment with NIST SP: The requirements are high-level aligned with NIST SP (800-172).
– 800-172 (details pending): The requirements are high-level aligned with NIST SP (800-172), but details are pending.
– Clarified: Subcontractors may be required to meet the same levels.
– Interim rule: An interim rule is in place, and a final rule is
Cybersecurity Maturity Model Certification (CMMC), signed into law on November 4, 2010, was the government’s effort to protect the U.S. defence supply chain. It mandates that private DoD contractors adopt cybersecurity standards that align with NIST 800-171. DFARS, a supplement to the Defence Federal Acquisition Regulation (DFARS), allows contracting companies to “self-attest” their contract requirements after winning the contract. NIST SP 800-171, developed after the Federal Information Security Act (FISMA) in 2003, governs Controlled Undassified Information (CUl) in Non-Federal Information Systems and Organisations. The DoD released CMMC v2.0 on October 15, 2024, with an effective date of December 16, 2024. CMMC was created in response to the continued exfiltration of CUl from the supply chain. Unlike the current DFARS requirement, CMMC does not allow POA&Ms. CMMC will serve as the unified standard for cybersecurity, incorporated as a “go/no-go” requirement for DoD acquisitions. The DoD will require certified Third-Party Assessment Organisations (C3PAO) to conduct audits on all DoD contractors. CMMC requirements are expected to appear in RFPs from mid-2025.
CMC LEVELS AND REQUIREMENTS
Focus:
– Level 1: Safeguard Federal Contract Information (FCI)
– Level 2: Serve as a transition step in cybersecurity maturity progression to protect CUl
– Level 3: Protect CUI
– Level 4-5: Protect CUl and reduce the risk of Advanced Persistent Threats (APTs)
Level 1:
– Performed
– Optimised
– Includes 171 controls (including level 4 controls: Advanced)
– Encompasses ALL controls from 800-171
– Includes a select subset of 4 controls from DRAFT 800-1718
– Includes an additional 11 controls to demonstrate a proactive cybersecurity program
– Includes 156 controls (including level 3 controls: Proactive)
Level 4:
– Reviewed
– Encompasses ALL controls from 800-171
– Includes a select subset of 11 controls from DRAFT 800-1718
– Includes an additional 15 controls to demonstrate a proactive cybersecurity program
– Includes 130 controls (including level 2 controls: Good Cyber)
Level 3:
– Managed
– Hygiene
– Encompasses ALL controls from 800-171
– Includes additional 20 controls to support good cyber hygiene
Level 2:
– Documented
– Includes 72 controls (including level 1 controls: Intermediate Cyber Hygiene)
– Includes a subset of 48 controls from NIST 8000-171 (CUI)
– Includes additional 7 controls to support intermediate cyber hygiene
– Includes 17 controls: Basic Cyber Hygiene
– Consists of the safeguarding requirements specified in Federal Acquisition Regulation (FAR) 48 CFR 52.204-21
The CMMC effort builds upon existing regulations.
Specific existing regulations include:
– NIST and CMMC: 48 Code of Federal Regulations (CFR) 52.204-21
– NIST 800-171: A separate, special publication from NIST 800-53. Many of its controls can be mapped back to an equivalent SP 800-53 control.
– Defence Federal Acquisition Regulation Supplement (DFARS) 252.204-7012: Many of its controls can be mapped back to an equivalent SP 800-53 control.
– NIST SP 800-171 rev 1: Combines the controls from 800-171, 800-1718, 800-53, ISO, amongst other sources.
– NIST SP 800-171B (Draff): Combines the controls from 800-171 and 800-1718.
– NIST SP 800-53: Combines the controls from 800-171, 800-1718, 800-53, ISO, amongst other sources.
– ISO 27001: A widely used security standard.
– ISO 27032: Another widely used security standard.
– ALA NAS9933: A security standard for small businesses.
The goal of CMMC is to make it cost-effective and affordable for small businesses to implement at the lower CMMC levels. This is achieved by combining controls from various sources and mapping them back to CMMC maturity levels. The intent is for certified independent third-party organisations to conduct audits and provide risk information.
ACCESS CONTROL (AC)
Access control is the process of granting or denying requests to use information, to use information processing services and/or enter company facilities. System-based access controls are called logical access controls, who or what (in the case of a process) is permitted to have access to a
system resource and type of access permitted.*
Do you securely log into your company systems?
Does your company limit system access to types of transactions and functions?
Does your company restrict access to company facilities?
What is sensitive information?
Do you know how to handle and protect sensitive information?
Audit and accountability (AU)
Companies should create, protect, and retain system audit records to the extent necessary to enable monitoring, analysis, investigation, and reporting of unlawful, unauthorised, or inappropriate system activity. This ensures that the actions of users can be uniquely traced to them, allowing for accountability.
Are users uniquely identified in your systems? Do you perform any type of event reviews? Do you have any alerts set up when a failure occurs?
AWARENESS AND TRAINING (AT)
The purpose of information security awareness, training, and education is to enhance security by raising awareness of the need to protect system resources, developing skills and knowledge so system users can perform their jobs more securely, and building in-depth knowledge as needed to design, implement, or operate security programs for organizations and systems.*
Do you have any training on job duties or protection of information?
Is the training recurring?
Configuration management (CM) is a collection of activities focused on establishing and maintaining the integrity of information technology products and systems. It involves controlling processes for initialising, changing, and monitoring the configurations of these products and systems throughout the System Development Life Cycle (SDLC).
Do you have any baseline configurations (software, hardware, etc.)?
Do you set up any specific security settings?
Do you review changes to your systems before they occur?
Do you limit what software can be installed and run on your systems?
Identification and Authentication (IA) is a technical measure that prevents unauthorised individuals or processes from accessing a system. It is a crucial building block of information security, forming the basis for most types of access control and establishing user accountability.
Here are some questions to consider regarding your systems:
– How do users log into your systems?
– Does everyone have full administrative rights on all systems?
– Do you use any type of multifactor authentication (MFA)?
– Do you have any password requirements set up?
– Do you have a process for removing user accounts when an individual leaves the company?
Patch management
Do you patch your systems regularly?
Do you sanitize systems before sending for repair?
Do you monitor repair personnel?
Physical protection
The term physical (and environmental) security refers to measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment.*
RISK ASSESSMENT (RA)
Risk assessments identify and prioritize risks to company operations, assets, employees, and other organizations that may result from the operation of a system.
Companies should periodically assess the risk to operations (e.g., mission, functions, image, and reputation), assets, and employees, which may result from
Do you assess risk to your company and systems?
Do you scan for and remediate systems vulnerabilities?
Do you perform backups of systems?
SYSTEM AND COMMUNICATIONS
PROTECTION /SC)
System and communications protection requirements provide an array of safeguards for the system, including the confidentiality information at rest and in transit. System and communications protection also establishes boundaries that restrict access to publicly accessible information within a system. Using boundary
Do you have firewalls and other segregation on your network?
Do you segregate public-facing systems from internal only systems?
Do you use encryption when transmitting over the Internet?
Do you limit the ability to connect to systems from outside the company?
SYSTEM AND INFORMATION INTEGRITY (SI)
System and information integrity provides assurance that the information being accessed has not been meddled with or damaged by an error in the system.*
Do you use Anti-malware/Anti-virus software and keep it updated?
Do you monitor for system vulnerabilities and/or malicious attacks?
Data Centric 