The Department of Defense (DoD) and other government agencies rely on Cybersecurity Maturity Model Certification (CMMC) to determine whether an organization has the appropriate security measures in place to work with controlled or vulnerable data. CMMC was implemented by the DoD as a unified standard to improve the protection of the defense industrial base (DIB).
Similar to other security frameworks, CMMC is made up of a collection of controls for practices and processes with the objective of achieving a certain level of cybersecurity maturity. Companies that wish to work with the DoD will first need to be CMMC rated. This typically involves building and following a CMMC framework and continuing to use CMMC best practices within the organization.
Here is a look at eight frequently asked questions about CMMC compliance:
1. What Is the Difference Between CMMC 1.0 and CMMC 2.0?
CMMC version 1.0 was established in September 2020 when the DoD published an interim rule with the Federal Register. This interim rule consisted of a five-tiered level model, contract requirements, and implementation structures. In November 2021, the DoD announced an update to the CMMC program after conducting an internal review of CMMC 1.0. The updated program includes further measures to safeguard vulnerable information, minimize barriers to compliance, and enhance DIB security.
2. How Will Companies Know What Level Is Required for a Contract?
Some organizations are unsure of what CMMC level they must meet to start or continue working with the DoD. Once CMMC 2.0 is implemented, the DoD will determine the appropriate CMMC level for each organization. CMMC 2.0 is made up of three maturity levels: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert).
3. When Will CMMC 2.0 Become a Requirement for DoD Contracts?
Organizations working with the DoD do not yet have to comply with CMMC regulations. CMMC 2.0 is still in the process of rulemaking which takes an average of 9 to 24 months to complete. Once the rulemaking process has been finalized, CMMC 2.0 will become a requirement for the DIB.
4. Why Did the DoD Decide to Make Changes to CMMC?
There are several reasons why the DoD chose to perform an update to CMMC. First, 850 public comments, along with feedback from Congress, industry stakeholders, and other supporting members, encouraged the DoD to perform an internal review of CMMC 1.0. This review resulted in a push to reduce costs and improve efficiencies. The upgrade also helped clarify federal and cybersecurity requirements found in CMMC version 1.0
5. Who Performs CMMC Assessments and How Often Are They Required?
Once CMMC 2.0 has been fully implemented, the DoD only accepts CMMC assessments performed by an accredited and authorized CMMC Third-Party Assessment Organization (C3PAO) or another certified CMMC Assessor. With CMMC 2.0, self-assessments associated with maturity Level 1 and a subset of maturity Level 2 will be required on an annual basis. Government-led and third-party assessments associated with some of maturity Level 2 and all of maturity Level 3 will be required on a triennial basis.
6. Do All Organizations that Contract with the DoD Require Certification?
Not all organizations that enter into or continue a contract with the DoD will require the same level of certification. Under CMMC 2.0, DIB companies that do not process, transmit, or store Controlled Unclassified Information (CUI) on its unclassified network, but does store, process, or handle Federal Contract Information (FCI), will need to perform a Level 1 self-assessment. The results of the assessment must be submitted with an annual affirmation by a senior company official.
7. Are the Results of CMMC Assessments Made Public?
After CMMC 2.0 is fully implemented, the DoD will have information relating to an organization’s assessment, which will likely include the assessment results and final report. The results of self-assessments will be stored on the Supplier Performance Risk System (SPRS). CMMC-related certificates and third-party assessment data will be stored in the Enterprise Mission Assurance Support Services (eMASS) database. A copy of an organization’s CMMC certificate will be automatically posted by eMASS to the SPRS. Detailed results of the CMMC assessment are not made public.
8. What Is the Cost of CMMC Certification?
The exact pricing for CMMC certification has not yet been made public. CMMC assessment pricing is dependent on several factors, such as the target CMMC level, market forces and the complexity of the organization’s unclassified network for the certification boundary. The new cost estimate will be published on the Federal Register once the rulemaking process has rolled out.
Schedule a Consultation with SeaGlass Technology
Organizations that wish to work with the DoD in the future must become compliant with the IT security standards outlined in CMMC 2.0. To learn more about CMMC compliance or to schedule a consultation with an IT security expert, contact SeaGlass Technology.