What you need to know about CMMC

The Department of Defense published its Cybersecurity Maturity Model Certification (CMMC) Program final rule (32 CFR Part 170) on October 15, 2024. The final rule is set to come into effect on December 16, 2024.

CMMC compliance helps organizations that work with the defense industry or have suppliers and customers in their defense supply chain meet contractual security requirements to protect Controlled Unclassified Information (CUI) that the DoD or primes share with its contractors and subcontractors. These requirements will be included in defense contracts after rulemaking is finalized.

The CMMC framework was first announced in 2019 and the publication of this latest proposed rule for CMMC 2.0 has generated much discussion amongst the Defense Industrial Base (DIB). The long-anticipated proposed rule lays out the implementation plan for CMMC 2.0, including a ‘comprehensive assessment mechanism’. It is seen by many as an expansion and a tightening up of the previous version in response to ever-growing cybersecurity risks.

The DoD currently requires contractors and subcontractors who handle CUI to meet National Institute of Standards and Technology (NIST) controls. However, there has not been a systematic process for checking that controls are being met. Under the CMMC program, the intention is that organizations are assessed according to the level of CMMC certification required so that compliance is verified prior to contracts being awarded.

Subject to the level of information sensitivity handled by an organization, there are three levels of CMMC certification; level one – assessed via self-assessment, level two – assessed by an independent third party assessor organization, and level three – assessed by DoD.

The proposed rule states that CMMC level two certification will be valid for three years but also requires an affirmation from a senior official to confirm their compliance to the cybersecurity requirements on an annual basis. This requirement would flow down the supply chain to applicable subcontractors too, so is potentially far-reaching.

“When it comes to demonstrating CMMC compliance, third party assessment provides robust and trusted verification that specific security requirements are being met. This is the level of assurance the DoD is seeking with its new proposed rule. C3PAOs play a vital role in helping maintain the DoD’s robust standards for processing, storing or transmitting sensitive information”, says Tony Giles, Director of Information Security at NSF.

Giles goes on to say, “We anticipate demand for level two assessments will be high and that the CMMC ecosystem will need time to ramp up. We therefore recommend contractors start their journey to CMMC certification today in order to give themselves enough time to ensure they meet the robust requirements.”

According to the proposed assessment mechanism, those who require level two CMMC certification will need to be successfully audited by an authorized CMMC Third Party Assessment Organization (C3PAO).

C3PAOs are accredited to assess organizations against CMMC requirements, and in March 2023 NSF gained authorization from Cyber AB to verify defense contractors’ compliance to CMMC through independent audits.

NSF also provides assessment services to organizations who require level one self-assessment and are seeking the rigor and robustness that come from working with an independent third party.

Get ahead by starting your journey to maintaining your DoD supplier status today. There are a number of ways to prepare. For example, we are able to perform NIST 800-171 gap assessments now, which can provide defense contractors with insight into their organization’s preparedness for a CMMC assessment.