National Cybersecurity Month: What is CMMC?

By: Matt Watson

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s way of securing sensitive data they entrust you with. The program has undergone a number of revisions, scheduling delays and public comment, but the core of the program remains the same: requiring you to provide proof of your cybersecurity practices in order to handle sensitive data the Department hands to you. This article explains why the CMMC exists, who it affects, and what to do about it.

Why does this program exist?

The CMMC is a response to increasing rates of theft and destruction of DoD data. In recent years, America’s peer and near-peer competitors have launched successful cyberattacks against the Defense Industrial Base (DIB) and other critical stakeholders in American government, critical infrastructure, and private entities. Their military flight platforms look oddly like our own. Their military vehicles use much of the same design details and specifications. This isn’t due to the sudden ingenuity of nations opposed to U.S. power; they’re a result of espionage, theft and destruction.

The CMMC is the DoD’s attempt to get a handle on the sensitive data they share with their private partners. At the same time that cyberattacks against the DIB are becoming more prevalent, the DoD is signaling that it needs more reliance on the DIB to accomplish its mission, not less. The CMMC aims to bridge the two competing interests.

Who does it affect?

In a nutshell, any company that holds a DoD contract (or plans to in the future) – to include their subcontractors. To be sure, the CMMC affects some parties more than others – a contractor that provides landscaping services to their local base will shoulder a lower burden than a manufacturer designing new components for fighter/attack aircraft. That said, the entire DIB is impacted by the CMMC. The program is split into three levels:

Level 1: Your company is required to perform 17 basic cybersecurity practices and attest to them annually to satisfy your contract.

Level 2: Your company is required to perform 110 cybersecurity practices. A significant portion (likely a majority) of DIB companies must have this validated by a third-party auditor. Level 2 is where the majority of DIB companies will likely fall.

Level 3: Your company has data sensitive enough to require an audit performed by the DoD itself; this includes 145 cybersecurity controls.

The determining factor for what level you fall into is your contract (or your prime’s contract) with the DoD. This will roughly correspond to the sensitivity of data you’re entrusted with, and therefore the standard you’ll need to meet.

What do I need to do?

Although the CMMC is complex, navigating it shouldn’t be. With the right plan and the right team, this requirement can be achieved. The process can be split into the following steps:

  • Identify your CMMC Level.
  • Identify the gap between your current cyber program and the requirements for your CMMC Level.
  • Make a Plan of Action to fix the gaps.
  • Execute the Plan of Action.
  • Sit for your CMMC audit (if applicable).

The good news is that you’ve got some time to plan your CMMC strategy. The program is not required yet, and best indications are that summer of 2023 will see the first set of CMMC requirements integrated into DIB contracts. In addition, there are a small number of Certified Third-Party Assessors (C3PAO) that can conduct your audit if you are CMMC Level 2 (as a reminder, Level 1 is a self-attestation and Level 3 is handled by the DoD itself). As more C3PAOs are designated by the DoD, you are ahead of the game if you can identify one that you’d like to work with on your CMMC preparation or audit.