Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
What does CMMC stand for? Developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OSD (A&S)), the Cybersecurity Maturity Model Certification is a framework designed to increase security against evolving threats.
As it continues to evolve, businesses must stay on top of CMMC’s key elements, forthcoming updates, and how organizations can take a proactive approach toward CMMC compliance.
The acronym CMMC stands for Cybersecurity Maturity Model Certification. The DoD developed this framework to standardize the information security posture of organizations in the defense industrial base — particularly that process, transmit or store federal contract information or controlled unclassified information.
In September 2020, the OUSD (A&S) of the DoD introduced CMMC as an interim rule to the Defense Federal Acquisition Regulation Supplement. The initial vision for the framework included the following features:
The rule set forth in DFARS Case 2019-D041 became effective on Nov. 30, 2020, with a phase-in period of five years. Following a public comment period and internal review in 2021, the DoD announced CMMC 2.0 in November 2021.
CMMC 2.0 is currently in the rulemaking process. Even though the meaning of CMMC remains the same, the second version of this model incorporates several changes concerning implementation and compliance.
The OUSD (A&S) of the DoD developed the CMMC framework and model through contracts with Carnegie Mellon University, the Johns Hopkins University Applied Physics Laboratory and the talent development consulting service Futures Inc.
CMMC refers to controls set forth by the National Institute of Standards and Technology in Special Publication 800-171 on protecting CUI in non-federal systems and organizations and enhanced security requirements in the 800-172 supplement. Organizations in compliance with these standards cover most of the CMMC requirements.
This model for maturing the security programs of defense contractors differs from other federal information security standards, such as FedRAMP for cloud service providers that host sensitive data. FedRAMP refers primarily to NIST SP 800-53 on system controls and 800-37 on risk management.
CMMC model 1.0 specifies five levels of compliance: basic, intermediate, good, proactive and advanced. Each level in this model covers a set number of security practices and processes:
The first version of CMMC only requires third-party assessments at Levels 1, 3 and 5 and does not mandate assessments for transition levels. Stakeholders should plan ahead for compliance with the forthcoming CMMC 2.0 model, which will have three compliance levels.
Under CMMC 2.0, a Level 1 organization must meet 15 requirements, conduct annual self-assessments and submit affirmations. A Level 2 organization needs to comply with 110 requirements based on NIST SP 800-171. The DoD requires some Level 2 organizations to undergo triennial third-party assessments and provide annual affirmations, while select programs can perform triennial self-assessments and submit annual affirmations.
A Level 3 organization is subject to over 110 requirements based on NIST SP 800-171 and 800-172. Organizations at this level must undergo a triennial government-led assessment and provide annual affirmations. Once stakeholders know what CMMC stands for, they should determine the level of an organization and work towards implementing the applicable controls.
The main types of organizations subject to CMMC include defense contractors and subcontractors. Other organizations that handle FCI or CUI might also need to meet the requirements for compliance with this model, the NIST Cybersecurity Framework or other SP 800-series controls.
An organization working towards CMMC compliance can quickly mature a security program by using an all-in-one compliance platform. Compyl establishes a baseline and allows for continuous monitoring to increase visibility across systems and help stakeholders meet CMMC requirements. A continuous compliance platform can be helpful for conducting self-assessments and preparing for third-party or government-led assessments.
Organizations in the defense industrial base should consult with the DoD to find out whether CMMC compliance is a condition of the contract award and determine the applicable level. Other types of organizations seeking federal contracts should contact the most relevant agency about preferred or required security standards.
CMMC references NIST SP 800-171 but does not supersede this standard. The DoD made rules regarding what CMMC stands for because it is not possible to certify compliance with NIST 800-series special publications.
CMMC 1.0 and 2.0 specify compliance levels and assessment requirements for organizations based on controls set out in NIST SP 800-171 and 800-172. CMMC compliance indicates that an organization meets all of the requirements for a particular level of this model.
Organizations and assessors can use CMMC as proof of compliance with the information controls in these publications. The current and subsequent revisions of these special publications will continue to serve as the basis for CMMC 2.0 and future versions of this framework.
Once stakeholders know what CMMC stands for and whether this standard is relevant for an organization, they can work towards adopting security controls for processing, transmitting or storing FCI or CUI. An organization on any of the five levels of CMMC 1.0 or three levels of the CMMC 2.0 model can use Compyl to achieve and maintain compliance with this evolving information security framework.
Request a demo to find out how Compyl can help your organization comply with the NIST 800-series controls that form the basis of the CMMC framework.
