Roadmap to Meeting NIST 800-171 Requirements
Download this free infographic roadmap now.
Cybersecurity Maturity Model Certification 2.0
The Cybersecurity Maturity Model Certification (CMMC) is a new requirement for existing DoD contractors, replacing the self-attestation model and moving to third-party certification.
In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:
For reference, click here for the most current CMMC 2.0 (released November 2021).
What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.”
Why is the history of CMMC?
CMMC was to be built on existing requirements such as NIST SP 800-171, NIST SP 800-53, AIA NAS9933, private sector contributions, and input from academia. This new certification is intended to tighten cybersecurity within the defense industrial base. CMMC consists of five levels to measure cybersecurity practices of contractors.
In September 2020, the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period.
In March 2021, the Department initiated an internal review of CMMC’s implementation, informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation.
In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:
Certification Assistant: Manage risk and streamline the Department of Defense certification process.
NIST 800-171 & CMMC Basic Assessment: An Audit-Ready NIST 800-171 and CMMC 2.0 Basic Assessment from an Exostar-vetted Cybersecurity Partner
Exostar PolicyPro: Build and maintain security policies more easily, and in line with NIST 800-171 and CMMC standards.
Partner Information Manager (PIM): Reduce risk while simplifying challenges managing and securing complex partner and supplier networks.
ForumPass Defense: Protect documents inside and outside your organization with a secure and intuitive platform.
Prior CMMC Releases
CMMC V1.02 – Released March 2020
CMMC v1.0 – Released Jan 2020
Articles
What is CMMC and Why is it Essential?
The Verdict is In: Self-Attestation it Out.
Why security can’t be the Fourth Procurement Pillar
Links
Infographic: Top 5 Concerns about Securing the DoD Supply Chain
WEBINAR (On-Demand): CMMC Documentation and Policy Requirements
Video: A Contractor’s Guide – Navigating the Coexistence of NIST 800-171 & CMMC
Cybersecurity Maturity Model Certification: Office of the Under Secretary for Acquisition & Sustainment
FAQs
CMMC V.1 brief
CMMC model: Complete framework
Download this free infographic roadmap now.
Download this free informational guide now.
Issued May 21, 2021
Effective 11/30/2020
CMMC 2.0 Level 1 (Foundational) only applies to companies that focus on the protection of FCI. It is comparable to the old CMMC Level 1. It consists of only practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21, commonly referred to as the FAR Clause.
CMMC 2.0 Level 2 (Advanced) is for companies working with CUI. It is comparable to the old CMMC Level 3. Level 2 requirements will mirror NIST SP 800-171 and eliminate all practices and maturity processes that were unique to CMMC.
CMMC 2.0 Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on DoD’s highest priority programs. It is comparable to the old CMMC Level 5. Level 3 will be based on a subset of NIST SP 800-172 requirements. Details will be released at a later date.