What is Cybersecurity Maturity Model Certification (CMMC)?

First: The Definition of a Maturity Model.

Okay, before we jump into CMMC, it’s important to understand what a maturity model is… which is a tool to measure the ability of an organization to continuously improve in a particular discipline. Organizations use these frameworks as a baseline to gauge their current state in a specific area. In a nutshell, a maturity model is a methodology for assessing an organization’s current state, potential for growth, or ability to improve in a certain area of its processes. 

Why aren’t you telling me about CMMC yet?

Ok, the reason I told you that is because the acronym CMMC stands for Cybersecurity Maturity Model Certification; and the current version, CMMC 2.0, sets out seventeen (17) practices across three (3) levels. According to the Department of Defense (DoD), the loss of controlled unclassified information (CUI) from the defense industrial base (DIB) supply chain has led to increased risk for our economy and national security. CMMC 2.0 is designed to assess DoD contractors’ organizations and their implementation of cybersecurity, as well as the maturity of its processes. This includes if the organization has the ability to improve and optimize its security, while simultaneously maintaining it. Additionally, it also covers the degree to which security measures are employed, and whether an organization manages security in a proactive or reactive manner.

The DoD released CMMC 1.0 on January 31st, 2020 with the goal of establishing a procedure to ensure all aspects of the DoD supply chain are secure. The certification built off of existing regulations like NIST 800-171 and Defense Federal Acquisition Regulation Supplement (DFARS), which requires DoD contractors to protect all controlled unclassified information (CUI) and Federal Contract Information (FCI) within their ecosystem. That’s right, just because CMMC isn’t officially in motion, doesn’t mean you don’t have to worry about it. DoD contractors are already required to comply with NIST 800-171 and DFARS!

Why do I keep hearing about changes to CMMC?

Great question! That’s because there have been changes until now, because currently it’s an ongoing process. Let’s continue through the timeline for reference. In response to feedback received regarding the first version, CMMC 2.0 was released on November 4th, 2021. Why? There were a couple reasons:

1. Reduce Costs – There was a desire to reduce red tape and expenses, particularly for small businesses. CMMC 2.0 allows all Level 1 – Foundational and a subset of Level 2 – Advanced, to show compliance through self-attestation  (or self-assessment).
2. Simplify – CMMC 2.0 focuses on the most critical requirements, reducing the model from five to three compliance levels. It also allows waivers of CMMC requirements, and lets organizations create their own Plan of Action & Milestones (POA&M) to obtain certification, under certain circumstances.
3. Alignment – Portions of CMMC 1.0 required clarification and alignment with cybersecurity requirements of other Federal regulations. CMMC 2.0 now lines up with commonly accepted standards like the National Institute of Standards and Technology’s (NIST) cybersecurity standards, and removes CMMC-unique practices.
4. Increase Acceptance – This one is arguably the most important. This latest version intended to increase trust in the CMMC assessment process itself. #okwewillcomply

Yes, there is more change. To make the CMMC 2.0 version release more confusing, the DoD released an Interim Rule on September 29th, 2020, only nine months after CMMC 1.0. It became effective on Nov. 30, 2020, amending DFARS to implement the CMMC framework. The interim DFARS rule established a five year “phase in” period (2021-2025), during which CMMC compliance was only required in select pilot contracts, to be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment. The DoD won’t approve inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process. Starting in 2021, the first select pilot contracts started to implement CMMC requirements for Level 3 and below with the US Navy, US Air Force, and Missile Defense Agency. 

Why is it taking so long you ask? Well, CMMC is still evolving. Stacy Bostjanick, director of CMMC policy for the DoD, said part of the reason the process is being held up is because of an adjustment to the program’s rulemaking requirements. Originally, CMMC was expected to be a DFARS supplement clause. Upon further review, it was determined that CMMC would need to go through a different Code of Federal Regulations rulemaking process to become a formal program.

Are you CMMC 2.0 ready?

It’s time! On April 4th, 2022, Bostjanikc announced a new Interim Rule at the NDIA New England 6th Annual Cybersecurity Summit. It looks like May 2023 is going to be the deadline, and CMMC 2.0 requirements will start to appear in DoD contracts by July 2023, 60 days after the public comment period. It takes up to a year to complete the certification process. Are you ready?

For questions about CMMC, DFARS, NIST, or anything else, reach out. Idenhaus Consulting keeps organizations compliant through current / future state assessments, System Security Plan (SSP) / POA&M creation, as well as maintenance, and proven methodologies with decades of experience. Our consultants deliver quality work, on time, with a smile. Tune in next week for the details on how to get CMMC 2.0 compliant. The deadline is approaching fast! 

Schedule a 15-minute introductory call with one of our consultants today.