Protecting the Defense Industrial Base (DIB) from increasingly frequent and complex cyberattacks is of the highest priority for the Department of Defense (DoD). As such, the DoD proposed modifications intended to enhance the Cybersecurity Maturity Model Certification (CMMC) program. The mission of this modified program, known as CMMC 2.0, is to further bolster cybersecurity and safeguard critical information vital to national security.
As the DoD tightens its scrutiny of cybersecurity compliance among defense contractors and subcontractors, companies that achieve CMMC 2.0 compliance stand to gain a competitive advantage. Here is a comprehensive list of key CMMC FAQs, terms, and definitions, essential for grasping this complex framework.
Table of Contents
What is CMMC?
The Cyber Maturity Model Certification (CMMC) sets the cybersecurity standards for the Department of Defense (DoD) and its contractors.
Now known as CMMC 2.0, this updated version was introduced in 2021. The certification ensures that contractors have established specific cybersecurity systems and processes to maintain essential cyber hygiene. CMMC aims to protect controlled unclassified information (CUI) on the networks of DoD contractors.
What are the CMMC levels?
The certification is divided into three levels:
Level 1
Level 1 aligns with the FAR 52.204-21 requirements, which all federal contractors must meet. Organizations already doing business with the DoD should be compliant with these 17 basic cyber hygiene controls. These controls represent the minimum standards that any contractor should have in place.
Level 2
Level 2 requires organizations to develop, maintain, and resource a plan demonstrating the management of activities for implementing cybersecurity practices. This level focuses on protecting Controlled Unclassified Information (CUI) and includes all security requirements specified in NIST SP 800-171, along with additional methods to mitigate threats.
Level 3
CMMC 2.0 Level 3 is currently undefined but is expected (according to the Federal Registry) to resemble CMMC 1.0 Level 5. This level requires organizations to standardize and optimize process implementation across the organization, with practices centered on protecting CUI from advanced persistent threats (APTs), thereby enhancing the depth and sophistication of cybersecurity capabilities.
CMMC Glossary of Key Terms and Definitions
The formal recognition by an authorized body that an organization meets the necessary requirements for certification under the CMMC framework.
Sophisticated, stealthy cyberattacks conducted by skilled adversaries over a prolonged period, aiming to gain unauthorized access to sensitive information or disrupt operations, undetected.
A systematic evaluation of an organization’s cybersecurity practices against the requirements specified in the CMMC framework.
Organizations authorized to conduct assessments and certify contractors’ compliance with CMMC requirements.
The ability of an organization to implement and sustain cybersecurity practices effectively.
A unified standard for implementing cybersecurity across the DIB sector, ensuring adequate protection of sensitive information.
The state of adhering to all applicable cybersecurity requirements and standards, including those outlined in the CMMC.
Sensitive information that requires safeguarding and dissemination controls but is not classified.
Any adverse event that compromises the confidentiality, integrity, or availability of information systems or data, requiring response and mitigation measures.
A set of cybersecurity requirements imposed by the DoD on contractors and subcontractors to protect CUI.
A collective term referring to companies and organizations involved in the production and supply chain of products and services for the DoD.
The primary regulation used by U.S. federal agencies to govern the acquisition process.
Sensitive, but not classified, information provided by or generated for the government under a non-public contract, that requires safeguarding.
Refers to a company’s maturity level within the CMMC framework. There are five levels, ranging from basic cyber hygiene practices to advanced cybersecurity capabilities.
The extent to which an organization’s cybersecurity processes and practices are present and consistently applied across the enterprise.
A framework containing security requirements for protecting CUI in non-federal systems and organizations.
A document outlining specific actions an organization plans to take to address identified weaknesses or deficiencies in its cybersecurity posture.
Specific actions or procedures recommended by the CMMC framework to achieve cybersecurity objectives.
A centralized unit responsible for monitoring, detecting, analyzing, and responding to cybersecurity incidents and threats.
10 CMMC Frequently Asked Questions (FAQs)
The interim DFARS rule established a five-year period where CMMC compliance is required only in select pilot contracts. Once CMMC 2.0 is codified through rulemaking, compliance will be mandatory for all.
CMMC 2.0 won’t become a contractual requirement until the DoD completes the rulemaking process, which can take up to 24 months.
The changes were made in response to feedback received from industry, Congress, and stakeholders, which called for cost reductions, increased trust in the assessment ecosystem, and clarification and alignment of cybersecurity requirements.
- Level 1. Basic Cyber Hygiene: Focuses on safeguarding FCI and requires the implementation of basic cybersecurity practices.
- Level 2. Intermediate Cyber Hygiene: Builds upon Level 1 by adding additional security practices to enhance the protection of CUI.
- Level 3. Good Cyber Hygiene: Requires the implementation of a comprehensive set of security controls to protect CUI, aligning with the requirements of NIST SP 800-171.
- Level 4. Proactive: Enhances cybersecurity practices to protect CUI from APTs and requires the implementation of additional controls beyond Level 3.
- Level 5. Advanced/Progressive: Represents an advanced level of cybersecurity maturity, focusing on the protection of CUI and reducing the risk of advanced threats through highly sophisticated security practices and processes.
Each of these levels build upon the requirements of the previous level, with higher levels demonstrating more robust cybersecurity capabilities and maturity.
The DoD will publish a comprehensive cost analysis associated with each level as part of rulemaking. Costs are projected to be lower relative to CMMC 1.0 due to streamlined requirements and increased oversight.
The DoD will specify the required CMMC level in the solicitation once 2.0 is implemented.
Compliance with NIST standards is contractually required. CMMC assessments determine whether the applicable NIST standard has been met.
If contractors and subcontractors handle the same type of FCI and CUI, they will be required to maintain the same CMMC level.
Customer data is not necessarily CUI; FCI and CUI have specific definitions, and their respective handling depends on contractual agreements.
- Self-Assessment Levels:
- Level 1. Organizations can perform self-assessments to demonstrate compliance with basic cybersecurity practices aimed at safeguarding FCI.
- Level 2. Similar to Level 1, organizations can conduct self-assessments to demonstrate compliance with additional security practices.
- Levels Requiring Certification via a Third-Party Assessment
- Level 3. Certification is required for organizations handling CUI. This level builds upon Levels 1 and 2 and aligns with the requirements of NIST SP 800-171.
- Level 4. Certification is required for organizations with a heightened focus on protecting CUI from APTs.
- Level 5. Certification is required for organizations demonstrating advanced cybersecurity maturity and capabilities, aimed at reducing the risk of APTs further.
Five Immediate Recommended Actions for Companies Affected by CMMC 2.0
- Review current practices. Conduct a thorough review of current cybersecurity practices and assess their alignment with CMMC 2.0 requirements. Identify any gaps or areas needing improvement to meet the desired compliance level.
- Understand contractual obligations. Understand the specific CMMC requirements outlined in current and upcoming DoD contracts. Ensure clarity on the expected CMMC level and associated compliance deadlines.
- Develop a compliance roadmap. Develop a comprehensive roadmap outlining the steps and timeline for achieving CMMC compliance. Prioritize actions based on criticality and resource availability to streamline the compliance journey.
- Invest in training and resources. Invest in employee training and resources to enhance cybersecurity awareness and competence within the organization. Equip personnel with the knowledge and skills required to implement and maintain CMMC-compliant practices.
- Engage with CMMC experts. Engage with third-party assessment organizations (C3PAOs) for insights on achieving and maintaining compliance. Seek guidance from CMMC experts, such as TechMD, to navigate the compliance process effectively.
Additional CMMC 2.0 Resources
For defense contractors, staying updated on evolving cybersecurity standards isn’t just good business—it’s critical for national security. TechMD understands the defense sector’s unique security needs and has extensive expertise helping contractors navigate and implement the necessary steps to achieve and maintain compliance.
Watch our webinar, The Latest CMMC 2.0 Updates Explained: What Defense Contractors Need To Know, to ensure you’re taking the necessary steps to bring your organization compliantly into the future.