The Cybersecurity Maturity Model Certification (CMMC) is a major Department of Defense (DoD) program built to protect the defense industrial base (DIB) from increasingly frequent and complex cyber attacks. It particularly aims to enhance the protection of controlled unclassified information (CUI) and federal contract information (FCI) shared within the DIB.
CMMC builds on existing trust-based regulations (DFARS 252.204-7012) by adding a verification component for cybersecurity requirements.
DoD's Office of the Under Secretary of Defense for Acquisition & Sustainment [OUSD(A&S)] developed the CMMC Framework, working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry. The Framework combines various cybersecurity standards and best practices, intended to:
All DoD prime- and sub-contractors planning to bid on future contracts with with the CMMC DFARS clause will be required to obtain a CMMC certification prior to contract award. Some prime- and sub-contractors accessing, processing or storing FCI (but not CUI) will minimally require a Level 1 attestation. A DoD contract will specify which level of compliance a contractor needs to meet.
All DIB members should learn the CMMC's technical requirements not only for certification but for long-term cybersecurity agility. However, DoD recognizes that many DIB members are small businesses that lack the resources of their larger, prime counterparts. As a result, the CMMC Framework incorporates cost-effective and affordable controls for small businesses to implement at the lower CMMC levels.
Overall, CMMC is designed to provide DoD increased assurance that a DIB company can adequately protect sensitive CUI and FCI, accounting for information flow down to subcontractors in a multi-tier supply chain.
The CMMC Framework requires a systematic approach to certification mapped to three organizational maturity levels: Foundational, Advanced, and Expert.
Detailed information about CMMC can be accessed at the DoD website.
To achieve certification at each level, organizations undergo a third-party assessment by an accredited and certified CMMC assessor who evaluates their adherence to the required practices and processes. The certification demonstrates the organization's commitment to cybersecurity and its ability to protect sensitive information within the defense supply chain.
It is important to note that the specific set of practices and processes required at each level are outlined in the CMMC model documentation, and organizations must align their cybersecurity programs accordingly to achieve the desired certification level.
The CMMC governance process refers to the framework and procedures established to oversee and manage the implementation, assessment, and certification of the Cybersecurity Maturity Model Certification (CMMC) within an organization. It involves various steps and activities to ensure compliance with CMMC requirements and maintain the security of sensitive information. While the specific governance process may vary depending on the organization, here are some common elements:
Establishing Policies and Procedures: The governance process begins with defining and documenting policies, procedures, and guidelines related to cybersecurity and CMMC compliance. This includes developing a cybersecurity policy, incident response plan, access control procedures, and other relevant documentation.
Assigning Responsibility: Clearly defining roles and responsibilities within the organization is crucial for effective CMMC governance. Designate individuals or teams responsible for overseeing cybersecurity efforts, managing CMMC compliance, and coordinating assessments and certifications.
Training and Awareness: Conduct regular cybersecurity training and awareness programs for employees to ensure they understand their roles, responsibilities, and the importance of adhering to CMMC requirements. This includes educating employees on cybersecurity best practices, incident reporting procedures, and the organization's policies and procedures.
Implementing Controls and Practices: Implement the necessary cybersecurity controls and practices based on the specific CMMC level the organization is aiming to achieve. This includes deploying technical solutions, establishing access controls, conducting vulnerability assessments, and enforcing security policies.
Conducting Self-Assessments: Perform regular self-assessments to evaluate the organization's compliance with CMMC requirements. Self-assessments can help identify any gaps or weaknesses and allow for corrective actions to be taken before the formal assessment.
Engaging with Third-Party Assessors: When the organization is ready, engage with certified Third-Party Assessment Organizations (C3PAOs) to undergo an official CMMC assessment. The C3PAO will evaluate the organization's cybersecurity practices and determine if it meets the requirements for the desired CMMC level.
Remediation and Continuous Improvement: If any deficiencies or non-compliance issues are identified during the assessment, develop and implement remediation plans to address them. Additionally, establish a process for continuous improvement by regularly reviewing and updating cybersecurity controls, practices, and policies based on emerging threats and industry best practices.
Maintaining Documentation: Maintain proper documentation of policies, procedures, assessments, certifications, and other relevant records to demonstrate compliance with CMMC requirements. This documentation is necessary for ongoing governance, audits, and future assessments.
The governance process ensures that the organization maintains a robust cybersecurity posture, aligns with CMMC requirements, and continuously improves its cybersecurity practices to protect sensitive information and support the defense supply chain.