What Is CMMC?

Cybersecurity Maturity Model Certification (CMMC) compliance is a combination of various cybersecurity standards and best practices. The model’s creation was supported by the Department of Defense (DoD) and built upon existing regulations where compliance is based on trust and a verification component. The primary objective of CMMC is the protection of sensitive information. The origins of the compliance framework can be found in special publications from the National Institute of Standards and Technology (NIST) – NIST SP 800-171 and NIST SP 800-53 – and constructed with existing regulations, such as Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.

Driven by feedback across the industry, CMMC has since been reworked into a hybrid certification model. This new version, referred to as CMMC 2.0, was announced on November 4, 2021. The changes are intended to reduce barriers to compliance for small and mid-sized firms while maintaining the goal of protecting the Defense Industrial Base from cyberattacks. CMMC 2.0 focuses on the most critical requirements and streamlines the model from 5 to 3 compliance levels.

CMMC addresses the protection of FCI and CUI data:

• Federal Contract Information (FCI) - Information not intended for public release. It is provided by or generated for the government under a contract to develop or deliver a product or service to the government. FCI does not include information provided by the government to the public.
• Controlled Unclassified Information (CUI) - Information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Understanding CMMC 2.0 Compliance

Learn more about what CMMC 2.0 means for government contractors and how you can prepare your business.

Get Your Guide

Most organizations fulfilling government contracts for the DoD will need to address CMMC requirements in requests for information (RFIs) and requests for proposal (RFPs) bids for DoD acquisitions, with the potential exception for commercial items.

The various cybersecurity standards and best practices upon which CMMC is based are largely self-certified. CMMC represents a major change to that by introducing the C3PAO requirement to review systems and processes for certification. To standardize this process, the DoD established the non-profit, independent organization, CMMC-AB, to define the assessment and administration needed for certification. Currently, CMMC-AB is in the process of licensing assessors and the firms that will serve as C3PAOs.

Government contractors will initially see DoD requirements to satisfy Maturity Levels 1 and 2 for anyone handling FCI or CUI. The majority of contractors will need to certify first at Maturity Level 1 and then Maturity Level 2. Maturity Level 3 will be required for organizations working with the most sensitive CUI or confidential data; however, it will be required to first certify at Maturity Level 1 and Maturity Level 2 before Maturity Level 3. Maturity Level requirements will be specified in contracts and are expected to flow down only to sub-contractors that are working with the controlled information. Therefore, it is important to know what type of data you are storing. Once an organization is CMMC certified, the certification is expected to be valid for three years.

The CMMC 2.0 maturity levels map directly to NIST SP 800-171 Controls.

• Maturity Level 1 – Foundational; allows organizations to conduct self-assessments against FAR 52.204-
• Maturity Level 2 – Advanced; includes 110 practices from NIST SP 800-171 and allows for self-assessment for Controlled Unclassified Information (CUI) but requires Certified Third-Party Assessment Organization (C3PAO) to conduct assessments when working with sensitive controlled information.
• Maturity Level 3 – Expert; requires CMMC 2.0 L2 C3PAO certification, adds NIST SP 800-172, and requires an assessment from the DoD when working with the most sensitive controlled information.

Assessors: Individuals who have successfully completed the background, training, and examination requirements as outlined by the CMMC Accreditation Body (AB), and to whom a license has been issued. Assessors are not employed by the CMMC-AB and may or may not be employed by the Certified Third- Party Assessment Organization (C3PAO).

Certified Third Party Assessment Organization (C3PAO): An entity with which at least two assessors are associated and to which a license has been issued to engage with organizations seeking certification (OSC) to complete their associated CMMC assessment.

CMMC Accreditation Body (AB): The accreditation body that establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/ best practices within the CMMC program.

Organizations Seeking Certification (OSC): The organization that is going through the CMMC assessment process to receive a level of certification for a given environment.

Cloud Service Providers (CSP): A third-party company offering a cloud-based platform, infrastructure, application, or storage services. CSPs may be storing sensitive unclassified information that is subject to CMMC certification.

To ready their organizations, government contractors should ensure they cover the following steps.

• Step 1 – Identify and classify the type of data you store to support existing or new contract awards.
• Step 2 – Understand the Maturity Level your firm will likely need to satisfy based on the type of data you store and identify the gaps that could prevent achieving certification.
• Step 3 – If you are unsure and work with CUI, start with Maturity Level 2, based off the 110 controls from NIST 800-171.
• Step 4 – Make sure you have the documentation of formalized processes and controls.
• Step 5 – Be familiar with the major definitions and compliance standards that make up CMMC 2.0.

Leveraging cloud service providers can be a solid strategy for addressing many aspects of CMMC 2.0. For instance, the controls implemented in Costpoint GovCon Cloud Moderate support DFARS 252.204-7012 and NIST SP 800-171 requirements which, were adapted to form the basis of the CMMC framework. However, simply moving into the cloud does not automatically make a firm compliant, but it can assist with getting to certification quicker and with less cost.

Here are 4 key considerations for government contractors when looking at a vendor for a cloud solution:

1. Determine if they have a strong government contractor client base.
2. Ask if they can demonstrate that the practices they will perform on your behalf meet the requirements of NIST SP 800-171.
3. Understand what your vendor’s plans are for CMMC and what level they strive to be. It’s important to remember that Maturity Level 2 or 3 are required to store CUI with that vendor’s solution.
4. Any Cloud Service Provider (CSP) working with CUI needs to have controls that align with DFARS clause 252.204-7012 (b)(2)(ii)(D), the FedRAMP Moderate baseline.

ERP For Government Contractors

Deltek is dedicated to protecting your data by ensuring our capabilities meet the constantly changing security landscape. We are continuously adjusting our suite of products and services to support your cyber posture by increasing our investment in security, compliance and supporting technologies for our customers – easing and scaling the management of systems for your teams.

The DoD has mandated that all government contractors competing for DoD contracts are CMMC certified. While this mandate may seem to be in the distant future, many government contractors are planning ahead, making it a top priority to find a Cloud Service Provider (CSP) that offers a solution that will support their CMMC compliance requirements. Investing in a CSP and a solution that helps address all your requirements, including FedRAMP Moderate equivalency, is important. Costpoint GCCM has achieved FedRAMP Moderate Ready status, which delivers you many of the required security controls you will need, with the understanding that compliance frameworks are a shared responsibility. At Deltek, we are dedicated to being that trusted partner.