CMMC2 CMMC CMMC2.0

What Is CMMC and Who Needs It?

Waits Sharpe Jul 12, 2022 4:47:06 PM

So, what is CMMC?

The Cybersecurity Maturity Model Certification or CMMC was developed by the Defense Industrial Base (DIB) to provide a standardized set of practices for any businesses working with the DIB or Department of Defense. For many contractors, the controls required by CMMC are not new. In fact, these controls have been required since 2017 and are founded on the NIST SP 800-171 Rev. 2 that defense contractors have been required to adhere to for several years. CMMC will act as the mechanism in which the DoD validates that contractors are following regulatory requirements and protecting CUI.

With CMMC being required for certain organizations working with the federal government many people may ask the question: Who needs it?

The short answer to this question is any organization that is receives, stores, creates, or transmits controlled unclassified information (CUI) must comply with the CMMC model. The cooperation between the private sector and the federal government has created a need for a standardized set of controls to ensure the security of sensitive information and the CMMC model ensures that contractors are implementing these controls correctly. These standards are especially useful for manufacturers who supply much of the nation's necessary products.

CMMC is also applicable to all critical infrastructure sectors that store, process, or transmit CUI. Because the chemical, environmental, manufacturing and many more sectors work with the DIB or DOJ it is more than likely that your organization will have to comply with CMMC regulations.

The CMMC 2.0 model contains three levels: Foundational, Advanced, and Expert

Each level builds upon the previous one, adding additional controls and requiring greater external validation. The first level, Foundational, applies to any organization that handles Federal Contract Information (FCI). The controls included in this level mostly refer to basic cyber hygiene practices including complex password policies, MFA, etc. At this stage, some contractors will be able to self-attest to their compliance on a yearly basis.

CMMC Level 2 is what most contractors will have to comply with when bidding on or receiving contracts. Any organization that handles CUI will have to be compliant to at least level 2. The requirements include all 110 controls outlined by NIST 800-171 alongside a third-party audit conducted by a certified third-party authorization organization (C3PAO) every three years. The third and final level requires organization to implement all of the previous controls with additional controls based on NIST 800-172. These organizations will be audited by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

If you believe that your organization will be required to comply with CMMC regulations, then your next question is probably . . .

What Should I Do About It?

CMMC compliance can be complex, and it most certainly is expensive. Your organization can make achieving and maintaining compliance much simpler by beginning from a solid foundation. Start by examining your contracts to determine whether or not you handle CUI/FCI. Next, begin to scope out your compliance boundary. This involves determining what assets (applications, hardware, employees, etc.) will have access to CUI and which ones can be sectioned off into a non-CUI portion of your business.

Many contractors will seek out the help of an MSP (known as ESP under CMMC) to help them achieve CMMC compliance. While many MSPs may claim to be self-assessed, they will still be in scope of your third-party audit. This means that any shortcoming on their end will reflect poorly on your organization and may lead to a failure.

CorpInfoTech has passed our CMMC Level 2 assessment - through this certification, your organization will inherit 200+ of the 320 objectives required by CMMC. CorpInfoTech is able to provide a faster, less expensive, and flexible solution to your CMMC compliance problems!

Further CMMC resource blog and guide: