CMMC or Cybersecurity Maturity Model Certificate – here is a summary of the basic information you need to know and why it’s needed.
Breaches in cybersecurity could potentially have severe threats in the defence industry.
Currently contractors to USDoD follow various cybersecurity standards and best practices. The goal with CMMC is to combine and map these controls, processes and current regulations like DFARS 252.204-7012, across several maturity levels and processes. Additionally, every contractor needs to be audited and certified by a third party auditor, hence no more self auditing. So, implementing CMMC will reduce the risk of cybersecurity breaches and threats, increase national security, and reduce the likelihood of loss of Controlled Unclassified Information (CUI) in the entire supply chain. The goal of CMMC is to be cost-effective, affordable and risk-reducing.
Main goal of the CMMC
The CMMC is intended to serve as a verification mechanism to ensure that an appropriate level of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect Controlled Unclassified Information (CUI) that resides on the Department’s industry partners’ networks.
The Cybersecurity Maturity Model Certificate (CMMC) version 1.0 was launched to the public on January 31 2020. It is impressive to see how far and fast Katie Arrington Chief Information Cyber Security Officer United States Department of Defense and her colleagues have come in implementing a critical framework to protect CUI.
What is CUI?
Controlled Unclassified Information (CUI) is information the United States Government creates or processes, or an entity creates or possesses on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguraring or dissemination controls. This principle is practically the same for all countries in regard to their respective CUI.
US has a registry and subcategories for what CUI is and here are some examples
- Critical Infrastructure Defense Export Control
- Financial Immigration Intelligence
- International Agreements Law Enforcement Legal
- Natural and Cultural Resources NATO Tax
- Nuclear Privacy Procurement and Acquisition
- Proprietary Business Information Provisional Statistical
The US is implementing this framework to increase national security, reduce risk against cyber attacks, and reduce the risk of loss of controlled unclassified information in the entire supply chain. It is applicable to all subcontractors on a DoD contract, irrespectively of where you are located in the supply chain. The level of the CMMC certificate required is dependent on the type and nature of information flowed down from your prime contractor. It does not apply to Commercial-of-the-Shelf (COTS) products, though you need to clarify if you fall under this category, before you handle any CUI.
The CMMC is based on the DFARS 252.204-7012, hence the framework should be known to subcontractors of USDoD. There are five levels of CMMC and the question is consequently where will your service/product be positioned and consequently what CMM level will be required from you?
Each level has different practises and CMMC level 3 is debated as perhaps the most applicable level for many of the sub-contractors in the supply chain. It will be interesting to learn more about which CMMC level will be applicable for which practices.
We are looking forward to the future development and implementation of this cybersecurity framework and not least working closer together to secure control of classified and unclassified information. CMMC will increase our security and make it simpler for prime contractors to share data and know who to cooperate with. It is important that all the actors in the supply chain start to analyse and prepare for this implementation, as we can see, it is progressing at an impressive rate.
Who does this apply for?
If you have a DoD contract, yes it does, also sub-contractors. All companies linked to the DoD supply chain in any way need to achieve at least CMMC level 1.
Didrik Bech, CEO at Printed Circuit Broker Elmatica – a partner to several Nordic Defense Actors.
Will CMMC replace other regulations?
No, CMMC builds on DFARS 252.204-7012 and NIST 800-171, and further clarifies and adds additional requirements.
CMMS is built up with 5 levels, which level should you aim for?
Level 1 parallels the FAR 52.204-21 requirements, which all federal contractors must meet. If your contracts or delivery of products include any governmental data, it’s assumed you also hold Federal Contract Information (FCI) and most likely also hold Controlled Unclassified Information (CUI). Storing, handling and processing CUI data, makes you applicable for minimum Level 3. The same applies if you handle export controlled data, as ITAR data, that is considered CUI, you will be subject to at least Level 3 in plus of the already existing ITAR-related rules.
When will it be up and running?
The DoD released CMMC Model version 1.0 to the public on January 31, 2020. The Task Group is currently working on new updates and releases. The first auditors will soon be appointed and one should expect that contracts from DoD in the very near future will have this requirement.
For more information, I suggest you access the CMMC FAQ´s webpage
