What Is CMMC?

What Is CMMC?

If you work with the DoD, then you’re on the clock to comply with CMMC — do you know what’s involved, and what it means for your organization?

Late last year, the first version of the DOD’s Cybersecurity Maturity Model Certification (CMMC) laid out new cybersecurity requirements for contractors like yours. The intention is to continually provide more accurate and more effective insight into modern cybersecurity best practices for organizations involved with DOD operations.

If you are a government contractor, you’ve probably heard about CMMC by now, but you still might not be sure if it applies to you. Check out our latest video to explore the basics of CMMC compliance:

What Is CMMC?

CMMC is the DOD’s way of certifying its contractors’ abilities to protect the Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared within the supply chain.

This builds upon the requirements set out by Defense Federal Acquisition Regulation Supplement (DFARS), Code Of Federal Regulations (CFR) and National Institute of Standards and Technology (NIST) guidelines (namely, 800-171 of the latter).

The DOD relies on external contractors and suppliers like you to carry out a wide range of tasks. Sensitive data that is shared with you must be protected. The fact is that inadequate safeguards for this sensitive data may threaten America’s National Security and put our military members at risk.

The DOD has implemented a basic set of cybersecurity controls through DOD policies and DFARS. These rules and clauses apply to the safeguarding of contractor/supplier information systems that process, store or transmit Controlled Unclassified Information (CUI).

These security controls must be implemented at both the contractor and subcontractor levels based on information security guidance developed by the National Institute of Standards and NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations”.

Who Does CMMC Apply To?

If you do business with the DPD, NASA, GSA or another state/federal agency, you need to be prepared for the CMMC framework. Anyone operating in the DOD supply chain must become certified to showcase that they’re able to protect controlled unclassified information (CUI).

What Cybersecurity Requirement Levels Are Included In CMMC?

CMMC introduces 5 levels of security requirements:

  1. Level 1: The first level requires basic cybersecurity practices, including anti-virus software, strong passwords, and overall, fairly standard measures.
  2. Level 2: The second level is designed to protect controlled unclassified information, and as such, requires more complex measures:
    1. Access controls
    2. Awareness and training
    3. Identification and authentication
    4. Configuration management
    5. Audit and accountability
    6. Incident response
    7. Media protection
    8. Maintenance
    9. Physical protection
    10. Personnel security
    11. Security assessment
    12. Risk assessment
    13. Systems and communications protections
    14. Systems and information integrity
  3. Level 3: The third level is based on an extension of the NIST 800-171 r2 standards. There are 47 security controls that must be in place to comply with this level.
  4. Level 4: The fourth level requires contractors to be proactive when it comes to measuring, detecting, and defending against threats. Some requirements are similar to DFARS while requiring contractors to be prepared to handle advanced persistent threats.
  5. Level 5: The fifth and final level includes 30 extra security controls above and beyond level four that must be put in place. They revolve around auditing and management processes as opposed to technical requirements.

Need Expert Assistance Implementing CMMC?

Don’t drop out of the defense contracting sector just because it’s become more difficult to stay compliant. Investing in CMMC compliance will make you a more valuable contractor for the DoD, and improve your cybersecurity in general.

If you’re looking for guidance, Orion Networks is here to help. We work with DOD contractors throughout the Northern Virginia, Maryland and Washington DC areas, and can assist in developing confident CMMC compliance.