CMMC 101: Intro to Compliance

The Cybersecurity Maturity Model Certification (CMMC) program, at its core, is an effort by the U.S. Department of Defense to protect sensitive data managed by its private industry partners where the information does not meet the threshold for classification, but could still detrimentally impact U.S. national security interests.

Intro to CMMC

The U.S. Department of Defense ("DoD") Cybersecurity Maturity Model Certification ("CMMC") program is a verification mechanism to ensure contractors with access to certain types of government information are adequately protecting it. Read this introduction to learn about the types of information, related regulations, evolution of the CMMC program, its requirements, and what to expect moving forward.

What is Controlled Unclassified Information?

Executive Order 13556 established a formal definition of Controlled Unclassified Information (CUI) in 2010 with the intent to address the patchwork of classification schemes for unclassified information used across the federal government. Specifically, CUI is information which “requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and Government-wide policies.”[1]

Since 2010, the U.S. National Archives and Records Administration (NARA) has defined 20 groupings comprised of over 100 categories of Controlled Unclassified Information and maintains a listing in their CUI registry.[2] This registry includes a description of each CUI category as well as labeling requirements and cites the legislative authority which justifies the category’s designation as CUI.

In brief, CUI is information which requires protection due to U.S. federal law, regulation, or policy but is not classified under Executive Order 13526 “Classified National Security Information.”[3]

How Did We Get from CUI to CMMC?

Since 2017, the DoD has required contractors to self-attest to their compliance with the requirements of NIST Special Publication 800-171 under Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012. However, this method of self-attestation proved to be insufficient as data breaches involving CUI were common for organizations that self-attested to meeting the requirements, resulting in the formation of the Civil-Cyber Fraud Initiative by the U.S. Department of Justice.[4]

To provide a verifiable method of ensuring DoD contractors were implementing the controls in NIST SP 800-171, the DoD developed CMMC version 1.0 as an interim rule via DFARS Case 2019-D041 in 2020.[5] After receiving feedback from DoD contractors in the Defense Industrial Base (DIB), the DoD released a revised version of the CMMC program (2.0) in late 2021.[6] This version establishes three levels of certification based on the type of information accessed by a given contractor.

How Does NIST SP 800-171 Relate to CMMC?

As mentioned above, the DoD has defined NIST SP 800-171 as the foundation of the CMMC program for all but the most basic safeguarding of federal contract information ("FCI"). NIST SP 800-171 is a framework of 110 requirements identified as adequate to protect CUI. These requirements are broken into 14 families based on their topic (e.g., Access Control, Personnel Security, etc.).[7]

While the CMMC rule was originally specified as leveraging the version of NIST SP 800-171 "in effect at the time solicitation is issued" by the DoD, a memo issued in May of 2024 has indicated that NIST SP 800-171 Revision 2 will be used until further notice.[8]

What Are the CMMC Requirements?

The CMMC program defines 3 certification Levels based on the sensitivity of the data managed by contractors:

• Level 1: Any organization with access to FCI will be required to self-attest their compliance with the 15 basic safeguarding controls defined in FAR 52.204-21.

• Level 2: DoD contractors who store, process, or transmit CUI data will be required to undergo validation by a C3PAO to demonstrate compliance with the 110 requirements in NIST SP 800-171 (Revision 2) every three years. Note: While Revision 2 has been superseded by Revision 3, the DoD issued a memo specifying Revision 2 as the required standard in May 2024.

• Level 3: Finally, organizations with access to certain categories of CUI will require triennial validation by a C3PAO of their compliance with the 134 requirements of CMMC Level 3, including the 110 controls from NIST SP 800-171 as well as an additional 24 from NIST Special Publication 800-172.

Organizations will also need to comply with the requirements outlined in DFARS 252.204-7012 regarding security incident reporting and FedRAMP authorization for levered cloud services, as well as annually providing attestation of compliance within the Supplier Performance Risk System ("SPRS" pronounced "spurs") per DFARS 252.204-7019.

When Will CMMC Go into Effect?

Rulemaking within the U.S. federal government and the DoD completed and the CMMC program was finalized in late December 2024. Enforcement within DoD contracts via DFARS 252.204-7021, marking the beginning of a 3-year phased rollout, is expected to begin in 2025. At that point, DoD contractors will be required to have achieved compliance with the CMMC Level specified in the contract, including attestation from a Certified Third-Party Assessor Organization (C3PAO) for Level 2 and Level 3, prior to be awarded DoD contracts.

Why Start Preparing Now?

Preparing for CMMC is a time-consuming process with many variables, including:

• What level of certification will be required
  

• The size and complexity of your organization
  

• The amount of interconnectivity between your IT systems, your partners’ IT systems, and your service providers (including cloud platforms)

Implementing the full suite of 110 controls for Level 2 can take an organization as long as 12 to 18 months. Ensuring you're able to meet these requirements is imperative to continuing to take DoD contracts once the CMMC rule goes into effect.

This can be an intimidating process, so Triumvirate Cybersecurity offers a suite of services to help our customers figure out where they are now and what they need to do to achieve CMMC compliance with confidence. Review our services and contact us to discuss how we can help you go from CMMC-curious to CMMC certified!