What Is CMMC?

Written by: Michael Greenman

Cybersecurity Maturity Model Certification (CMMC) compliance is a combination of various cybersecurity standards and best practices. The model’s creation was supported by the Department of Defense (DoD) and built upon existing regulations where compliance is based on trust and a verification component. The primary objective of CMMC is the protection of Controlled Unclassified Information (CUI). The origins of the compliance framework can be found in special publications from the National Institute of Standards and Technology (NIST) – NIST SP 800-171 and NIST SP 800-53 – and constructed with existing regulations, such as Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.

Driven by feedback across the industry, CMMC has since been reworked into a hybrid certification model. This new version, referred to as CMMC 2.0, was announced on November 4, 2021. The changes are intended to reduce barriers to compliance for small and mid-sized firms while maintaining the goal of protecting the Defense Industrial Base from cyberattacks. CMMC 2.0 focuses on the most critical requirements and streamlines the model from 5 to 3 compliance levels.

CMMC addresses the protection of FCI and CUI data:

• Federal Contract Information (FCI) - Information not intended for public release. It is provided by or generated for the government under a contract to develop or deliver a product or service to the government. FCI does not include information provided by the government to the public.
• Controlled Unclassified Information (CUI) - Information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

How to Navigate Cybersecurity Complexity

Decode CMMC and learn about the complex web of security controls and practices defense contractors must maintain to meet compliance requirements.

Watch Webinar On Demand

Most organizations fulfilling government contracts for the DoD will need to address CMMC requirements in requests for information (RFIs) and requests for proposal (RFPs) bids for DoD acquisitions, with the potential exception for commercial items.

The various cybersecurity standards and best practices upon which CMMC is based are largely self-certified. CMMC represents a major change to that by introducing the C3PAO requirement to review systems and processes for certification. To standardize this process, the DoD established the non-profit, independent organization, CMMC-AB, to define the assessment and administration needed for certification. Currently, CMMC-AB is in the process of licensing assessors and the firms that will serve as C3PAOs.

Government contractors will initially see DoD requirements to satisfy Levels 1 and 2 for anyone handling FCI or CUI. The majority of contractors will need to certify first at Level 1 and then Level 2. Level 3 will be required for organizations working with the most sensitive CUI or confidential data; however, it will be required to first certify at Level 1 and Level 2 before Level 3. Level requirements will be specified in contracts and are expected to flow down only to sub-contractors that are working with the controlled information. Therefore, it is important to know what type of data you are storing. Once an organization is CMMC certified, the certification is expected to be valid for three years.

The CMMC 2.0 levels map directly to NIST SP 800-171 Controls.

• Level 1 – Foundational; Requires contractors and applicable subcontractors to verify through self-assessment that all applicable security requirements outlined in FAR clause 52.204-21 have been implemented.
• Level 2 – Advanced; Requires contractors and applicable subcontractors to verify that all applicable security requirements outlined in NIST SP 800-171 Rev 2 and required via DFARS clause 252.204-7012 have been implemented. As determined by DoD, program contracts will include either a CMMC Level 2 Self-Assessment requirement or a CMMC Level 2 Certification Assessment requirement to verify a contractor’s implementation of the CMMC Level 2 security requirements. Successful implementation requires meeting all objectives defined in NIST SP 800-171A for the corresponding CMMC Level 2 security requirements and verified by a Certified Third-Party Assessment Organization (C3PAO). The CMMC Level 2 Certification Assessment must be completed tri-annually, and the affirmation must be completed annually.
• Level 3 – Expert; requires CMMC 2.0 Level 2 C3PAO certification, additional selected NIST SP 800-172 security requirements and requires an assessment from the DCMA DIBCAC. The CMMC Level 3 Certification Assessment must be completed tri-annually, and the affirmation must be completed annually.

Understanding CMMC 2.0 Compliance

Learn more about what CMMC 2.0 means for government contractors and how you can prepare your business.

Get Your Guide

Assessors: Individuals who have successfully completed the background, training, and examination requirements as outlined by the CMMC Accreditation Body (AB), and to whom a license has been issued. Assessors are not employed by the CMMC-AB and may or may not be employed by the Certified Third-Party Assessment Organization (C3PAO).

Certified Third Party Assessment Organization (C3PAO): An entity with which at least two assessors are associated and to which a license has been issued to engage with organizations seeking certification (OSC) to complete their associated CMMC assessment.

CMMC Accreditation Body (AB): The accreditation body that establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/ best practices within the CMMC program.

Organizations Seeking Certification (OSC): The organization that is going through the CMMC assessment process to receive a level of certification for a given environment.

Cloud Service Providers (CSP): A third-party company offering a cloud-based platform, infrastructure, application, or storage services. CSPs may be storing sensitive unclassified information that is subject to CMMC certification.

To ready their organizations, government contractors should ensure they cover the following steps.

• Step 1 – Identify and classify the type of data you store to support existing or new contract awards.
• Step 2 – Understand the CMMC Level your firm will likely need to satisfy based on the type of data you store and identify the gaps that could prevent achieving certification.
• Step 3 – If you are unsure and work with CUI, start with Level 2, based off the 110 controls from NIST SP 800-171.
• Step 4 – Make sure you have the documentation of formalized processes and controls.
• Step 5 – Be familiar with the major definitions and compliance standards that make up CMMC 2.0.

Leveraging a Cloud Service Provider can be a solid strategy for addressing many aspects of CMMC 2.0. For instance, Deltek Costpoint GCCM has completed its FedRAMP Moderate Equivalency assessment and supports DFARS 252.204-7012 requirements and NIST SP 800-171 controls which, were adapted to form the basis of the CMMC framework. However, simply moving into the cloud does not automatically make a firm compliant, but it can assist with getting to certification quicker and with less cost.

Here are 4 key considerations for government contractors when searching for the right cloud service provider solution:

1. Evaluate whether they have a strong government contractor client base. This will ensure that the solution is tailored to meet your specific compliance requirements.
2. Confirm your Cloud Service Providers (CSP) have achieved the FedRAMP Baseline Moderate or Equivalent standard.
3. Ask if they can demonstrate that the practices they will perform on your behalf meet the requirements of CMMC as a Cloud Service Provider (this cannot be inherited from a cloud infrastructure service such as AWS).
4. Any Cloud Service Provider (CSP) working with CUI needs to have controls that align with DFARS clause 252.204-7012 (b)(2)(ii)(D), the FedRAMP Moderate baseline.

ERP For Government Contractors

Deltek is dedicated to protecting your data by ensuring our capabilities meet the constantly changing security landscape. We are continuously adjusting our suite of products and services to support your cyber posture by increasing our investment in security, compliance and supporting technologies for our customers – easing and scaling the management of systems for your teams.

The DoD has mandated that all government contractors competing for DoD contracts are CMMC certified. While this mandate may seem to be in the distant future, many government contractors are planning ahead, making it a top priority to find a Cloud Service Provider (CSP) that offers a solution that will support their CMMC compliance requirements. Investing in a CSP and a solution that helps address all your requirements, including FedRAMP Moderate Authorization or Equivalency, is important. Costpoint GCCM has completed its FedRAMP Moderate Equivalency assessment and is listed on the FedRAMP Marketplace, which delivers you the compliance support you will need for CMMC, with the understanding that compliance frameworks are a shared responsibility. At Deltek, we are dedicated to being that trusted partner.