PCI DSS 4.0 - Are You Ready? Get a Discount on a Readiness Assessment - Learn More
Department of Defense CMMC
Author Picture

Updated on August 10, 2022 by Anthony Jones

Listen to: "What You Need to Know about the CMMC "

Cyber attackers continue to target contractors in the Defense Industrial Base (DIB) sector with increasing frequency. This sector supports the Department of Defense (DoD), in terms of research, development, acquisition, production, and delivery.

The loss of intellectual property (IP) in the DIB sector can undercut the U.S. advantage in technology, increasing the risk to national security. The DoD is, therefore, working with contractors to increase the protection of unclassified information within the DIB supply chain. This includes the development of the Cybersecurity Maturity Model Certification (CMMC) framework.

Because CMMC compliance requirements are still evolving, many DIB contractors have questions about it. We’ve tried to supply some answers to the most common questions contractors are asking.

What is the CMMC?

The CMMC framework includes many processes and best practices in cybersecurity that are drawn from a variety of sources, including DIB contractors and other DoD stakeholders. This framework organizes those processes and practices into domains and maps them across multiple maturity levels. It also aligns practices with capabilities within each domain.

How Is it Different from NIST SP 800-171?

The US government is using CMMC certification as a vehicle to audit compliance with NIST SP 800-171, a publication that recommends requirements for protecting CUI. DoD contractors have been required to comply with NIST SP 800-171 since January 1, 2018, but the levels of adoption have remained low since then. CMMC was created to remedy this problem, which will ultimately affect over 200,000 contractors even by the most conservative estimate.

Even if contractors comply with CMMC, it doesn’t mean they comply with all NIST SP 800-171 requirements. NIST 800-171 includes 110 CUI controls in addition to 63 Non-Federal Organization (NFO) controls. Contractors still need to comply with both the CUI and NFO controls, even though NIST 800-171 primarily focuses on the storage, transmission, and processing of CUI.

CMMC Assessment and Certification Process

The CMMC model includes five maturity levels designated ML 1 through ML 5. Each level has progressively greater compliance requirements with respect to NIST 800-171.

  1. ML 1 deals with performance. It has associated practices, but no process requirements.
  2. ML 2 adds documentation requirements. Organizations must establish domain policies and the CMMC practices needed to implement those policies to reach this level.
  3. ML 3 includes management requirements. Organizations must establish, maintain and provide resources for each of their domains.
  4. ML 4 requires organizations to review the effectiveness of activities within their domains.
  5. ML 5 adds the requirement for contractors to optimize and standardize their approach towards their domains across all organizational units.

Choosing a Third-Party Assessment Organization

The latest changes to CMMC prevent contractors and their subcontractors from self-assessing their security posture. An official CMMC third-party assessment organization (C3PAO) must now conduct on-site inspections to ensure contractors are in compliance with CMMC requirements.

DoD solicitations could include CMMC requirements as early as June 2020 and will become mandatory by September 2020. It doesn’t appear that these requirements will become retroactive at this time. Failure to meet the requirements of a particular maturity level prevents contractors from bidding on DoD solicitations with that maturity level or higher.

Watch this video for more information about the impact of updated CMMC cybersecurity assessment model, audit procedures, and certification standards for DoD contractors.

What Does it Mean to be Compromised?

Section 252.204-7012 the Defense Federal Acquisition Regulation Supplement (DFARS) describes a cyber incident as an action taken on a DOD contractor’s information system that results in an actual or potentially adverse effect on the data it contains. This broad definition includes actions taken by DoD contractors themselves and unauthorized intruders. In other words, a cyber incident includes any action performed by any party that could have compromised DoD data, even if it didn’t actually do so.

The compromise of a contractor’s information system doesn’t automatically result in the loss of certification. However, it does appear at this that the DoD will authorize program managers to require recertification from the contractor if they feel it’s necessary. It’s still unclear how the DoD will impose this obligation and what standard it will use to determine that recertification is necessary.

What Type of Companies Need CMMC?

All contractors doing business with the DoD are required to obtain a CMMC rating, whether they’re a prime contractor or sub-contractor. It also applies to equipment manufacturers and material suppliers, even if they don’t directly provide their products to DoD. Furthermore, CMMC requirements are only the first step towards improving the security of organizations in the DIB sector.

Your Compliance Partner

I.S. Partners can help you achieve and maintain CMMC, allowing you to continue doing business with the DoD. We begin this process with an evaluation to determine what changes you need to make in your security posture. We can then provide strategic advice on how to make those changes.

I.S. Partners is now CMMC certified. Call us today at 215-675-1400 or visit us online to request a quote.

Get a Quote Try our Compliance Checker

About The Author

Author Picture

Anthony Jones

Anthony has over 20 years of experience and has worked with a variety of industries, including Health Care Insurance, Banking and Financial Services, Information and Analytics, Telecom, and Utilities. Anthony has extensive knowledge in IT Security consulting; he is also a Certified Information Systems Auditor (CISA), and Project Management Professional (PMP) designation holder with expert ability to accurately determine needs, understand risk tolerances, offer alternatives to current situations, develop action plans and cultivate longstanding client relationships. Anthony’s area of expertise consists of MAR, HIPAA and Sarbanes Oxley Compliance, IT Security and Privacy Management, Enterprise Risk Management (ERM), Health Care Insurance Banking and Financial Services, Manufacturing and Utilities. Prior to joining IS Partners, LLC Anthony spent 12 years with PWC as a Senior Manager in Business Risk Solution (BRS) Practice advising Fortune 100 financial services, manufacturing, Insurance and utility companies. Anthony graduated Saint Joseph’s University. Anthony received his MBA from SJU Haub School of Business.
Anthony Jones frequently blogs for I.S. Partners, LLC.
clip

Get Hassle-free Pricing in 3 Easy Steps

1
Request a quote using the form below
2
Allow us to create a customized plan
3
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the form below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235 or book a meeting with one of our experts.

Great companies think alike!

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal