Skip to Main Content
November 10, 2020

Nine Things to Know About the CMMC

Written by Rick Yocum
CMMC Readiness Review Program Assessment & Compliance

The Cybersecurity Maturity Model Certification (CMMC) (https://www.acq.osd.mil/cmmc/) is a program being developed to help ensure that specific types of unclassified data that exist outside of government systems remain adequately protected.

Specifically, the CMMC applies to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in non-government systems. Eventually, this certification program will replace the process of self-attestation to NIST SP 800-171 that many defense contractors and subcontractors perform today.

While many elements of the program have been designed by the Department of Defense, the CMMC Advisory Board (CMMC-AB) and several other contributing parties continue to refine program details.

Because this program will significantly impact how a large portion of defense contracts are awarded, requires external audits by external parties, and can lead to serious penalties, many organizations in the Defense Industrial Base (DIB) are actively working to understand what the CMMC means for them.

To help demystify the CMMC for TrustedSec clients and partners, we have put together the following list of nine (9) things to help you get more comfortable with the CMMC.

1 - It’s Rolling Out Slowly

Only 15 large contracts (and all associated subcontracts) will require CMMC certification in 2021. More contracts will require CMMC certifications each year, and by 2026, all new contracts will require contractors to have the appropriate CMMC certification.

2 - No POAMs Allowed

The CMMC is a pass-or-fail audit, and uncertified organizations cannot be awarded contracts with CMMC requirements. Specifically, Plans of Action and/or Mitigation (POAMs) will not allow a non-compliant organization to participate in a contract with CMMC requirements. Organizations pursuing CMMC certification can bid on contracts with CMMC requirements as long as they will receive their certification before beginning work on the contract.

3 - Plan for Separate Partners

While there is a bit of nuance to it, the CMMC program is built to ensure that no conflicts of interest occur between CMMC consultants and CMMC auditors. Because of this, consultants that advise contractors on how to comply with the CMMC cannot perform that contractor's CMMC Certification Assessment, and the official CMMC Certification Assessor is prohibited from providing any advice on how to achieve or enhance compliance.

4 - Your Data Drives Your Targets

CMMC has five (5) different certification levels. Level 1 has the least stringent requirements while Level 5 has the most stringent requirements. Each contract will specify the level required to protect the associated data, but in general:

  • Creating and/or storing FCI requires a Level 1 certification, which entails 17 controls (known as ‘practices’).
  • Creating and/or storing CUI requires Level 3 certification, which entails 130 controls (aka ‘practices’) AND requires a level of documentation to confirm that these controls are consistently executed, funded, staffed, and maintained.

The DoD and CMMC-AB expect that the majority of organizations will need to be certified at Level 1.

5 - Define Your CUI and FCI

From a data perspective, many prime contractors historically have taken a blanket approach toward ensuring their subcontractors were complying with NIST 800-171 requirements. Unfortunately, this has led to a lot of confusion regarding which data is and is not CUI. 

New contracts with CMMC requirements will specify which data should be treated as FCI and CUI, but existing data in your environment should be secured to the appropriate level (NIST 800-171 for now and CMMC in the future). It is notable that because of the Christian Doctrine, organizations with this data are responsible for securing it to the appropriate levels even if the contract accidentally or intentionally omits the requirement to appropriately secure the data. In other words: organizations and individuals can be punished for failing to protect this data, even if not they are not contractually obligated to do so.

Lastly, the official source for defining CUI can be found at the NARA Archives. Organizations are strongly encouraged to review the Safeguarding and/or Dissemination Authority documentation associated with each category to gain a specific understanding of the applicable data.

6 - Three-Year Cycle

Recertification is required every three (3) years. 

7 - Isolate Your Data

Like any data-oriented certification, one of the most effective paths toward achieving compliance is to isolate the sensitive data and to secure the zone where the data resides. While this may require business processes adjustments, it is often the most cost-effective approach and frequently results in the highest level of risk reduction.  

8 - Minimize Your Data

Like isolation, data minimization can also play a significant role in compliance activities. While this includes ensuring that data is removed when no longer needed, it also can include taking steps to ensure that sensitive data does not enter your environment. Some organizations will demonstrate compliance by having their prime contractor or subcontractor get the certification and choosing to work exclusively from the certified environment. While it can require some up-front coordination, partnering with a CMMC certified organization and ensuring that sensitive data does not leave the certified environment can be an effective approach to minimizing the compliance obligations related to the CMMC.

9 - Use The CMMC Appendices

While many organizations will be familiar with the main CMMC model document, far fewer originations become familiar with the CMMC Model Appendices. The Appendices document contains a control-by-control breakdown of each CMMC requirement and often provides specific answers in areas where the higher-level CMMC model document may be unclear. 

Final Thoughts

While the CMMC is rolling out slowly and might not warrant quite as much panic as initially thought – some organizations will need to make some significant investments in their systems and processes to achieve compliance. The DoD and CMMC-AB both suggest that organizations begin their journey towards CMMC adherence now in order to avoid missing out on opportunities due to compliance issues.

Have questions or concerns on how to best prepare for the CMMC? TrustedSec can help!