Cybersecurity Maturity Model Certification (CMMC) Framework Overview

Whats the CMMC?

The CMMC, or Cybersecurity Maturity Model Certification, was created by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) to enhance the cybersecurity of contractors and sub-contractors in the supply chain.

Who does it apply to?

All contractors and subcontractors of the Department of Defense.

How do I get certified?

An accreditation body is enlisting auditing companies today.

Do I have to pay for an audit?

Yes, but the cost has not been determined.

Cybersecurity Maturity Model Certification (CMMC) Framework Overview

  • Cyber Certification is required for the DoD supply chain. There are 5 levels of certification.
  • It is a complex interaction of technical and organizational requirements to protect controlled unclassified info and federal contract info.
  • The level of certification required for primes is specified in their government contract; the prime determines the level required for each of its supply chain vendors.
  • Many non-prime vendors are probably OK at level 3 or below.
  • Recommendation for supply chain; Meet with your primes; understand what is levied on them and what they will impose on you; at least understand the 17 practices that are required for basic cyber certification at level 1.

Background: 

  • A 2010 Executive Order (13556) requires Exec Branch to protect Controlled Unclassified Information (“CUI”) defined as “information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations and government-wide policies.”  CUI can be “For Official Use Only,” or other designations.
  • Protection is also required for – Federal Contract Information (“FCI”), a category of less-sensitive information that is provided by, or generated for, the Government under contract and is not intended for public release.
  • In 2016 the Executive branch promulgated a Cybersecurity framework (NIST Special Publication (“SP”) 800-171), “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”

 

Posted in