CMMC and Alabama Companies
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the DIB. It is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the Department increased assurance that contractors and subcontractors are meeting these requirements. To protect American ingenuity and national security information, the DoD developed CMMC 2.0 to dynamically enhance DIB cybersecurity to meet evolving threats and safeguard the information that supports and enables our warfighters.
Helpful links:
See ACCESS Resource page for a copy of the latest released CMMC model and supporting documents.
What are the features of CMMC 2.0?
The framework has three key features:
- Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.
- Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
- Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
What are the changes with CMMC 2.0?
The CMMC 2.0 has 3 increasingly progressive levels (instead of 5):
-
- Foundational / Level 1 (same as previous level 1)
- Advanced / Level 2 (previous level 3)
- Expert / Level 3 (previous level 5)
CMMC 2.0 eliminates all maturity processes
CMMC 2.0 eliminates all CMMC unique security practices:
-
- Advanced / Level 2 will mirror NIST SP 800-171 (110 security practices)
- Expert / Level 3 will be based on a subset of NIST SP 800-172 requirements.
- The CMMC AB will develop the certification criteria and begin certifying C3PAOs in the summer of 2020. UAH will not be seeking C3PAO certification. We will provide updates on the C3PAO certification as the CMMC AB communicates it. Go to the CMMC AB Market Place for the latest on C3PAOs.
CMMC 2.0 allows for Plan of Action and Milestones (POA&M) at certification
-
- Allows the use of POA&Ms
- Highest weighted required cannot be on a POA&M list
- DoD will establish a minimum score requirement to support certification with POA&Ms
Changes to assessment requirements (See below)
Will there be assessments with CMMC 2.0?
Self Assessments
-
- The Department views Level 1 (“Foundational”) as an opportunity to engage its contractors in developing and strengthening their approach to cybersecurity. Because Level 1 does not involve sensitive national security information, DoD intends for this Level to allow companies to assess their own cybersecurity and begin adopting practices that will thwart cyber-attacks.
- Likewise, a subset of programs with Level 2 (“Advanced”) requirements do not involve information critical to national security, and associated contractors will only be required to conduct self-assessments.
- Contractors will be required to conduct self-assessment on an annual basis, accompanied by an annual affirmation from a senior company official that the company is meeting requirements. The Department intends to require companies to register self-assessments and affirmations in the Supplier Performance Risk System (SPRS).
Third Party Assessments:
-
- Once CMMC 2.0 is implemented, contractors will be required to obtain a third-party CMMC assessment for a subset of acquisitions requiring Level 2 (“Advanced”) cybersecurity standards that involve information critical to national security.
- The CMMC-AB will accredit CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO). Accredited C3PAOs will be listed on the CMMC-AB Marketplace. The DIB company will be fully responsible for obtaining the needed assessment and certification, to include coordinating and planning the CMMC assessment. After the completion of the CMMC assessment, the C3PAO will provide an assessment report to the DoD.
Who are these C3PAO companies?
The CMMC AB will develop the certification criteria and begin certifying C3PAOs in the summer of 2020. UAH will not be seeking C3PAO certification. We will provide updates on the C3PAO certification as the CMMC AB communicates it. Go to the CMMC AB Market Place for the latest on C3PAOs.
How do I know which CMMC 2.0 level to prepare for?
If you have CUI, then consider readiness for CMMC 2.0 Level 2
If you don’t have CUI, then consider readiness for CMMC 2.0 Level 1
How will my organization know what CMMC 2.0 level is required for a contract?
Once CMMC 2.0 is implemented, DoD will specify the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.
Will the Primes and Subs be required to maintain the same level?
If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.
When will CMMC be rolled out?
The changes reflected in CMMC 2.0 will be implemented through the rulemaking process. Companies will be required to comply once the forthcoming rules go into effect. The Department intends to pursue rulemaking both in Part 32 of the Code of Federal Regulations (C.F.R.) as well as in the Defense Federal Acquisition Regulation Supplement (DFARS) in Part 48 of the C.F.R. Both rules will have a public comment period. Stakeholder input is critical to meeting the objectives of the CMMC program, and the Department will actively seek opportunities to engage stakeholders as it drives towards full implementation.
While these rulemaking efforts are ongoing, the Department intends to suspend the current CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in any DoD solicitation.
The Department encourages contractors to continue to enhance their cybersecurity posture during the interim period while the rulemaking is underway. The Department has developed Project Spectrum to help DIB companies assess their cyber readiness and begin adopting sound cybersecurity practices.
What questions do Alabama companies have about CMMC?
If you have any questions regarding CMMC or how it may impact your business, please contact us.
Resources available to Alabama companies on CMMC
The ACCESS Program provides technical assistance to Alabama companies to help small to medium size companies become ready to meet new DoD cybersecurity requirements.
Assistance Request
Other cyber security resources and information is available through ACCESS
Cybersecurity Resources