What is CMMC?

The Defense Industrial Base (DIB) is the target of increasingly frequent and complex cyberattacks. To protect American ingenuity and national security information, the DoD developed CMMC 2.0 to dynamically enhance DIB cybersecurity to meet evolving threats and safeguard the information that supports and enables our warfighters.

OVERVIEW OF THE CMMC PROGRAM

The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the DIB. It is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the Department with increased assurance that contractors and subcontractors are meeting these requirements.

The framework has three key features:

• Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.
• Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
• Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

OVERVIEW OF ASSESSMENTS

CMMC 2.0 implements tiered assessment requirements based on the sensitivity of the information shared with a contractor. Upon implementation of CMMC 2.0:

• Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards.
• Contractors managing information critical to national security (a subset of Level 2) will be required to undergo third-party assessments.
• The highest priority, most critical defense programs (Level 3) will require government-led assessments.

SELF-ASSESSMENTS

The Department views Level 1 (“Foundational”) as an opportunity to engage its contractors in developing and strengthening their approach to cybersecurity. Because Level 1 does not involve sensitive national security information, DoD intends for this Level to allow companies to assess their own cybersecurity and begin adopting practices that will thwart cyber-attacks.

Likewise, a subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments.

Contractors will be required to conduct self-assessment on an annual basis, accompanied by an annual affirmation from a senior company official that the company is meeting requirements. The Department intends to require companies to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS). An unofficial CMMC assessment with the purpose of providing company officials comfort in their attestation.

THIRD-PARTY ASSESSMENTS

Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security.

The CMMC-AB will accredit CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO). The DIB company will be fully responsible for obtaining the needed assessment and certification, including coordinating and planning the CMMC assessment. After the completion of the CMMC assessment, the C3PAO will provide an assessment report to the DoD.

As part of the CMMC 2.0 implementation, the DoD will approve all CMMC-AB conflict of interest related policies that apply to the CMMC ecosystem. Additionally, the CMMC-AB must achieve compliance with the ISO/IEC 17011 standard prior to accrediting C3PAOs and a CAICO. Separately, C3PAOs will be required to comply with ISO/IEC 17020 and the CAICO will be required to comply with ISO/IEC 17024 requirements.

GOVERNMENT ASSESSMENTS

The Department intends for Level 3 (“Expert”) cybersecurity requirements to be assessed by government officials. Assessment requirements are currently under development.