NIST800 CMMC2 compliance CMMC1.0 CMMC NIST 800-171 CMMC2.0

The History of CMMC ( Cybersecurity Maturity Model Certification)

Waits Sharpe Oct 6, 2022 4:56:00 AM

The History of CMMC

The Cybersecurity Maturity Model Certification (CMMC) has become a relevant topic for many organizations within the Defense Industrial Base (DIB). Many businesses are wondering whether they must be compliant and how they begin that process. Due to the nature of cyber threats the CMMC model has evolved since its inception which may make it difficult to keep up with. This blog seeks to provide a short history of what the CMMC is and how it has changed over the years.

The history of the CMMC goes all the way back to 2010 with Executive Order 13556. The CMMC model seeks to provide a standard for the protection, storage, and transmission of controlled unclassified information"(CUI) and it was this executive order that defined what constitutes CUI and how it is defined.

It wasn't until 2019 that the Department of Defense actually announced the development of CMMC in order to move away from the current "self-attestation" model of security. While the CMMC model today does allow for some self-attestation it is much more complex and scrutinized by third parties. Since 2017, defense contractors had to self-assess against the NIST 800-171 standard. The CMMC was founded on these standards and was created as a way to better enforce NIST 800-171 requirements.

In November of 2020 CMMC 1.0 was implemented as an interim rule in all DoD contracts requiring to upload a SPRS score in compliance with NIST 800-171 and various DFARS requirements.

This first iteration of CMMC contained 5 maturity levels in ascending order.

Level 1 - Basic Cyber hygiene
Level 2 - Intermediate Cyber Hygiene
Level 3 - Good Cyber Hygiene
Level 4 - Proactive Cyber Hygiene
Level 5 - Advanced and Progressive Cyber Hygiene

These 5 levels addressed the 110 controls of NIST 800-171 that are divided into 14 control families. All contractors were expected to comply with at least the first level while other contractors higher up were expected to comply with the more advanced levels. This model worked for a while, but soon it was replaced with CMMC 2.0

CMMC 2.0 was announced in November of 2021 and attempted to streamline the expectations of the previous models by downsizing the transitionary levels of 2 and 4.

Instead of 5 maturity levels CMMC 2.0 has only 3.

Level 1 - Foundational
Level 2 - Advanced
Level 3 - Expert

The first level of the CMMC 2.0 is centered around protecting FCI or federal contract information and is concerned with foundational cyber hygiene practices. At this level, contractors are able to self-attest to their compliance. Level 2 of the CMMC 2.0 model requires contractors to implement 110 practices based off of the NIST 800-171 framework. Any organization that creates, stores, or transmits CUI must adhere to level 2 or greater. This level requires a triannual assessment conducted by a C3PAO. Finally, level 3 will require additional controls beyond NIST 800-171 with contractors undergoing third-party audits conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

In 2023, the formal rule making process for CMMC began under Title 32 and Title 48 of the Code of Federal Regulations (CFR). Prior to the publication of CMMC, any MSP (known as ESP's under CMMC) would be required to comply with the CMMC model at the same level of the contractor they are serving. This changed however, and MSPs/ESPs are no longer required to achieve level 2 CMMC compliance. Regardless, contractors should seek out C3PAO certified MSPs as any service provider that has not been validated by a third-party will still be in scope of the contracting organizations audit.

This lengthy process involved multiple reviews and community feedback that resulted in CMMC being published into the federal register as a final rule on October 15, 2024. This final rule would become effective on December 16th, 2024, with audits starting at the beginning of 2025.

What Next?

With CMMC finalized and audits beginning, what are the next steps that defense contractors should take? Achieving and maintaining CMMC compliance can be complex and expansive. CMMC compliance is no longer optional, failing to comply with CMMC could result in loss of contracts/business.

CorpInfoTech can help! Through TAS for CMMC Compliance, CorpInfoTech offers a faster, less expensive, and more flexible CMMC compliance solution that helps you achieve your compliance results with greater efficiency. We are aCMMC Level 2 (C3PAO) certified MSP -making us one of the first MSPs to achieve level 2 compliance with a perfect 110 score.

By partnering with CorpInfoTech, your organization will inherit 200+ of the 320 objectives required by CMMC. Access to pre-certified controls reduced implementation time and provides greater assurance when audit time comes.

Many MSPs will claim to be CMMC compliant via a self-assessment. Unfortunately, this does not remove them from the scope of your audit. If your service provider drops the ball, your organization will be faced with the consequences of a failed audit. Partner with a certified and trustworthy MSP!

CorpInfoTech is a CMMC Level 2 (C3PAO) certified MSP that has passed our audit with a perfect 110, making us one of the first MSPs to achieve level 2 compliance

Learn more about CorpInfoTech and how we help contractors achieve CMMC compliance!

Additional CMMC resource blog and guide: