In 2019, the DoD released what became known as the Cybersecurity Maturity Model Certification (CMMC) as a means of assurance that all parties involved in the government supply chain would maintain adequate and standardized cyber security protocols. Subpart 204.75 was added in 2020 to include policies, procedures and contract clauses.
The purpose of DFARS and CMMC is to enhance cybersecurity requirements for contractors and other entities that do business with the DoD.
DFARS defines the requirements outlined in the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171. These requirements serve to protect Controlled Unclassified Information (CUI) flowing from the federal government out to private and public contractors from falling prey to cyber threats.
What are CMMC Requirements?The requirements for CMMC certification depend on the level of certification.
Here is a short explanation of the certification levels, with each level building upon the previous level’s requirement. For example, to complete Level 2, you will need to have completed all the requirements of Level 1 plus additional requirements.
|Level 1||Basic Cyber Hygiene||DoD service providers who prefer to pass an examination at this level should execute 7 controls of NIST 800-171 rev1.|
|Level 2||Intermediate Cyber Hygiene||Here, DoD specialists should execute yet another 48 controls of NIST 800-171 rev1 as well as seven new "Other" controls.|
|Level 3||Good Cyber Hygiene||To accomplish level 3 certification, the last 45 controls of NIST 800-171 Rev1 and 13 new "Other" controls need to be carried out.|
|Level 4||Proactive Cybersecurity||Along with controls from levels 1 through 3, 11 additional controls of NIST 800-171 Rev2 plus 15 new "Other" controls are required.|
|Level 5||Advanced/ Progressive Cybersecurity||For the maximum level, DoD specialists must carry out the last four controls in NIST 800-171 Rev2 together with 11 new "Other" controls.|
In November of 2021, the DoD updated its program and requirements to CMMC 2.0 with the following goals:
- Safeguard sensitive information to enable and protect the warfighter
- Dynamically enhance DIB cybersecurity to meet evolving threats
- Ensure accountability while minimizing barriers to compliance with DoD requirements
- Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience
- Maintain public trust through high professional and ethical standards
The CMMC Model 2.0 will enhance and reduce the certification levels from five to three as follows:
|Level 1||Foundational||DoD service providers who prefer to pass an examination at this level should execute 17 model practices along with an annual self-assessment.|
|Level 2||Advanced||DoD service providers must execute 110 model practices aligned with NIST SP 800-171. Triennial third-party assessments are required for critical national security information and an annual self-assessment for select programs.|
|Level 3||Expert||DoD service providers must execute over 110 model practices based on NIST SP 800-172 along with triennial government-led assessments.|