The Department of Defense's (DoD) Cybersecurity Maturity Model Certification (CMMC) is a framework of cybersecurity standards and best practices that is becoming a requirement for government contractors working with the DoD.
The newest version (CMMC 2.0) is now available, and the DoD is working to implement CMMC 2.0 through its regulatory process.
This article provides a brief explanation of CMMC 2.0, why it matters, and a checklist you can use as you consider if certification is right for your organization.
What is the CMMC?
The CMMC framework is a certification model designed to help the DoD have better standardization over the cybersecurity controls required from its contractors (sometimes called "the Defense Industrial Base" or "DIB").
CMMC 2.0 is the latest version of this certification program. The goal of CMMC 2.0 is to continue to focus on safeguarding sensitive national security data while maintaining its original goals of requiring standardized security controls without overburdening contractors.
CMMC 2.0 includes:
- Simplifying and clarifying the Cybersecurity Management Maturity Model (CMMC) by adding additional clarity on cybersecurity regulatory and policy compliance and contract management.
- Focusing on ensuring that companies supporting high-risk programs meet the strictest security standards and regulations using third-party assessments.
- Increase departmental oversight of professional and ethical practices within the assessor industry.
Strategic Direction for Cybersecurity Maturity Model Certification (CMMC) Program
Under CMMC 2.0, DIB contractors will be required to achieve different certification or "maturity" levels depending on the sensitivity of the data they handle.
- Maturity Level 1 focuses on foundational security controls and will be required of every DIB contract that involves federal contracting information (FCI) and, possibly, non-prioritized controlled unclassified information (CUI).
- Maturity Level 2 covers more advanced cybersecurity controls that directly align with NIST SP 800-171 (another well-known cybersecurity framework) and will be required for all DIB contractors who work with prioritized CUI.
- Maturity Level 3 includes the most stringent requirements, includes 130 security controls drawn from NIST SP 800-171 and other security frameworks, and will be required for all DIB contractors who work with the most sensitive types of CUI.
NOTE: CMMC is a compliance certification program that will become the enforcement of DFARS 252.204-7012, which has required contractors to have implemented NIST SP 800-171 security controls since 2017.
Multi-Tiered Compliance Approach
Not all businesses handle mission-critical, sensitive data when working with the DoD. As a result, CMMC compliance requirements are divided into three maturity levels: foundational, advanced, or expert.
If you have contracted with the DoD as a prime or subcontractor since 2017, you may have already implemented NIST SP 800-171 security controls in accordance with FAR and DFARS contract requirements, so you should be well on your way toward CMMC compliance. But ultimately, your company's required CMMC Maturity Level will depend on your contract and the data you will receive, access, and support in fulfillment of that contract.
NOTE: If you utilize a software or service provider that will handle or store CUI received or created as part of your DoD contract, be sure to confirm that your cloud service provider is compliant with DFARS 7012 before your CMMC audit.
Understanding the Compliance Ecosystem
CMMC represents a community of affiliated organizations, government contractors, and third-party assessors committed to securing government data and protecting all parties.
With anywhere between 200,000 and 300,000 Defense Industrial Base (DIB) contractors partnering with our government at all levels, it is easy to understand the importance of robust, well-documented security controls and established cooperation.
While the goal is for certification for the DIB contractor community, the process to get here involves collective coordination across many organizations, including:
- Advisors: Registered Practitioners (RPs) and Registered Practitioner Organizations (RPOs)
- Assessors: Certified CMMC Professionals (CCPs) and Certified CMMC Assessors
- Official CMMC Certification Publishers: Licensed Publishing Partners (LPPs)
- Educators/Trainers: CMMC Licensed Training Providers (LTPs)
- Certified CMMC Instructors
- CMMC Third-Party Assessment Organizations
CMMC 2.0 Compliance Checklist
The following CMMC Checklist is designed to give you a head start on your CMMC 2.0 journey.
The hope is that it can help your organization as you prepare for CMMC 2.0 and beyond. However, CMMC 2.0 is very complex, and the specific requirements that will apply to your organization may depend on a host of factors. Thus, we recommend consulting a Certified CMMC Professional or other Registered Practitioner certified by the Cyber Accreditation Board (Cyber AB) for additional guidance on how to comply with the requirements outlined in the CMMC 2.0 standard.
1. Identify Internal Stakeholders
Particularly consider stakeholders like internal or outsourced IT and Information Security team(s) and legal teams.
2. Plan Ahead for the Type of Assessment You Will Need
While contractors can self-assess to Level 1 certification, these self-assessments must be certified at the executive level. Some Level 2 contractors may be able to self-assess, but if you handle "critical national security information", you will be required to undergo assessments by certified third-party assessment organizations (called "C3PAOs"). Level 3 contractors will be required to undergo a government-led assessment every three years.
3. Utilize Resources from the Cyber AB
The Cyber AB is the entity tasked by the DoD with accrediting the C3PAOs that conduct CMMC Assessments of companies within the DIB. The Cyber AB maintains a variety of resources for those seeking certification, including a marketplace listing the entities and individuals who are qualified to provide assessments or consult on certification strategies. You can find these resources at https://cyberab.org/.
4. Consider Any Existing Obligations to Submit a Self-Assessment
Different CMMC maturity levels and other contractual requirements may require you to have already submitted a self-assessment of your cybersecurity controls to the Supplier Performance Risk System (SPRS). Additionally, many prime contractors and business partners are pushing hard for early score submission to avoid penalties under the DFARS interim rule.
5. Maintain Records of Compliance Throughout the Process
Continued and ongoing documentation of all security controls, reviews and submissions should be maintained.
Deltek Remains Committed to CMMC
Deltek is a leading provider of enterprise resource planning (ERP) software. Our flagship SaaS ERP solution, Deltek Costpoint, has been built specifically to meet the needs of government contractors and those in other regulated industries.
For contractors who need to take complete control of their business operations from anywhere at any time, Deltek offers two industry-trusted solutions for managing their entire Enterprise Resource Planning (ERP) delivery.
- Deltek's Costpoint GovCon Cloud (GCC) offers secure data hosting for Federal Contract Information (FCI) and non-DoD Controlled Unclassified Information (CUI).
- Deltek Costpoint GovCon Cloud Moderate (GCCM) can handle even greater compliance needs, including ITAR regulations, Covered Defense Information (CDI), and Controlled Technical Information (CTI). Costpoint GCCM has completed its FedRAMP Moderate Equivalency assessment and is listed on the FedRAMP Marketplace.
Our implementation of industry-standard security controls throughout our cloud infrastructure serves as the foundation for achieving CMMC compliance. When the program is finalized and published, Deltek expects to pursue CMMC 2.0 certification at Maturity Level (ML) 2 for our Costpoint GCCM offering.
