The United States Department of Defense (DoD) has developed a certification program to combat potential cybersecurity encroachment by nefarious actors. The Cybersecurity Maturity Model Certification (CMMC) program enables the DoD to standardize cybersecurity preparedness across the defense industrial base (DIB). Program certification will become a requirement by 2026 for contractors conducting business with the DoD. This white paper provides insight for those companies who anticipate obtaining defense contracts, or have current contracts, to meet the requirements for CMMC accreditation.
The CMMC program measures a federal contractors’ capabilities, readiness, and sophistication in the area of cybersecurity. CMMC is a framework for the enforcement of existing Defense Federal Acquisition Regulation Supplement (DFARS) requirements developed in 2017 to provide security protection for Controlled Unclassified Information (CUI). The framework also includes cybersecurity contributions from the National Institute of Standards and Technology (NIST) and the Federal Acquisition Regulation (FAR). The program’s main focus is to enhance the surety and security of CUI and Federal Contract Information (FCI) expended by federal contractors. Prospective federal contractors must complete a CMMC System Security Plan (SSP) in order to be considered for inclusion in the program. Based on the information submitted in the SSP the DoD will assign a certification level to the contract(s) issued to the authorized business entity.
The CMMC program contains 5 levels of maturity. The cybersecurity requirements become more advanced as the levels increase.
As previously referenced, each prospective contractor must submit an SSP to become CMMC certified. The SSP contains 17 sections or “Domains” with a subset of 171 “Practices”. The prospective contractor must describe how they plan to manage and maintain each Domain within their organization by providing information around how they will handle each Practice within a Domain.Here is an overview of the SSP framework reflecting the Domains and corresponding Practices.
CMMC accreditation applies to any contractor (primary or sub) who engage with the DoD to fulfill federal contracts. Although some level of certification will be a requirement of every contract starting in 2026, contracts will be issued at all 5 levels of the maturity model. As such, some contracts will require only a low level of certification, while others will require a higher certification level, depending on the cybersecurity assessment established by the DoD for a particular contract.
CMMC serves as a verification tool to ensure appropriate cybersecurity practices are being adhered to by every DoD contractor. The Department of Defense is migrating to the CMMC framework in order to assess, regulate and enhance the cybersecurity stance of their contractors. The program will establish a verification process to ensure appropriate cybersecurity practices are enforced. The intent is to confirm that basic cyber security controls are protecting controlled unclassified information (CUI) used and maintained by those contractors working with the DoD.
Some things each company must consider with determining whether they should become certified.
CMMC levels required for primary contractors will be specified in Requests For Information (RFIs) and Requests for Proposals (RFPs). The level of certification for sub‐contractors depends upon the type and nature of the information they receive from the primary contractor. Based on DoD examples, primary contractors will likely need to achieve at least Level 3, while sub‐contractors may only need to obtain Level 1.
A contractor can achieve a specific CMMC level for its entire enterprise or for a particular segment, depending on where the information to be protected is managed and maintained within their environment. An organization can decide to attain a base CMMC level for the entire organization and be certified at higher levels for certain segments based on the requirements of the contract.
Current DoD guidelines stipulate that CMMC accreditation will be valid for three years.
DoD has created the CMMC Accreditation Body(AB) which is a non‐profit, independent organization to certify Third Party Assessment Organizations (3PAOs) in addition to individual assessors. Details are forthcoming about the mechanics of certification, but DoD plans to establish a marketplace for 3PAOs to be evaluated and hired by contractors seeking certification.
Getting started with CMMC might seem to be a formidable task, and the reality is that certification is just too large to be addressed by one person or even a team within an organization. Nevertheless, certification will be a non‐negotiable requirement of DoD contractors moving forward. EKKO Consulting can help you get started.Request Demo