CMMC 101

Your guide to the fundamentals of the new cybersecurity framework being required by the Department of Defense (DoD) for all of its contractors.

CMMC 2.0 Fundamentals

This guide is intended to provide organizations with guidance in preparing for a Cybersecurity Maturity Model Certification (CMMC) Assessment. CMMC is a new Department of Defense (DoD) framework used to give the DoD a means to have some assurances as to the cybersecurity maturity of the Defense Industrial Base (DIB). This guide includes the following topics:

  • What is CMMC?
  • Who needs CMMC?
  • What determines my CMMC level?
  • What do I do?
  • Additional Information About Data Types

 

CMMC Compliance

Let's Get Started

What is CMMC?

CMMC is a standard designed for the implementation of cybersecurity across the United States Defense Industrial Base (DIB) to protect Covered Defense Information (CDI). This includes Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The DIB is made up of over 300,000 commercial organizations that provide products or services to the United States Department of Defense (DoD) as a part of the execution of a contract.
The CMMC program is intended to validate the ability of DIB organizations to adequately protect sensitive unclassified information. The capabilities of organizations are validated against the CMMC security control framework. The CMMC framework is made of 3 maturity levels. Each maturity level is assigned a specified set of security and privacy controls that the organization must satisfy to achieve the associated level.

The CMMC framework is currently comprised of the administrative and technical requirements found within the 110 security controls of National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). These controls are divided amongst the following 14 control families:

・Access Control (AC) ・Media Protection (MP)
・Awareness and Training (AT) ・Personnel Security (PS)
・Audit and Accountability (AU) ・Physical Protection (PE)
・Configuration Management (CM) ・Risk Assessment (RA)
・Identification and Authentication (IA) ・Security Assessment (CA)
・Incident Response (IR) ・System and Communications Protection (SC)
・Maintenance (MA) ・System and Information Integrity (SI)

 

Who needs CMMC?

Since 2017, all DoD contracts, other than those for acquisition of Commercial Off the Shelf (COTS) items, contain Defense Federal Acquisition Regulation Supplement (DFARS) contract clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. In addition, this clause must be included in subcontracts for which performance will involve CDI or operationally critical support. This clause requires that all contracts/subcontracts implement the security controls found in NIST SP 800-171. These are the same controls being assessed in CMMC Level 2.

DFARS clause 252.204-7012 allowed DIB organizations to self-attest to their meeting these requirements. Following the addition of the clause in contracts, a two-year congressional study was made that determined there were very few DIB organizations meeting requirements they were attesting to. This led to the creation of DFARS 252.204-7019, 7020, and 7021. DFARS 252.204-7019 and 7020 establish assessment requirements and methodologies. Whereas DFARS 252.204-7021 requires a framework be established to ensure implementation of those other clauses.
DFARS clause 252.204-7021 will begin to be included as a condition of contract award for Department of Defense (DoD) contracts as soon as Q1 2024; this clause will eventually be present in all contracts issued by the DoD and possibly by other agencies soon after.

This contract clause will allow the issuing agency to require a DIB contractor to possess and maintain the CMMC maturity level designated within the clause. The certification level requirement is dictated by the importance and sensitivity of the data supplied or created as a part of the contract’s intended fulfillment.

What determines my CMMC level requirement?

The contents of an organization’s prime contracting or sub-contracting agreement will contain the DFARS 252.204-7021 contract clause. This contract clause dictates the minimum CMMC maturity level an organization must have achieved prior to being awarded the contract.

DoD contracts that only transfer and/or create FCI will require organizations to achieve a CMMC Maturity Level 1 certification through self-attestation of compliance to the 17 specified security controls from the CMMC framework. Organizations must satisfy the requirements to achieve this maturity level. Organizations that attest to, but don’t implement, the requirements risk severe consequences.

DoD contracts that transfer and/or create CUI, or include DFARS clause 252.204-7012, require organizations to satisfy all 110 security controls of the CMMC framework to obtain a CMMC Maturity Level 2 certification. This maturity level requires organizations to undergo an assessment from a CMMC 3rd Party Assessment Organization (C3PAO) to validate their compliance with the applicable security controls.

As of this publication, the requirements to obtain CMMC Maturity Level 3 have not been finalized. As CMMC is an additive framework in nature, organizations can expect to satisfy all 110 security requirements found in Maturity Levels 1 and 2. Additionally, organizations will have to satisfy other security controls which will be extracted from the National Institutes of Standards and Technology (NIST) Special Publication 800-172.

What is Maturity Level 1?

CMMC Maturity Level 1 is the lowest of the CMMC certification levels. It is therefore designated as the Foundational level. Its requirements consist of basic cybersecurity practices of 17 security controls extracted from the following six CMMC security families:

・Access Control (AC) ・Physical Protection (PE)
・Identification and Authentication (IA) ・Systems and Communication Protection (SC)
・Media Protection (MP) ・System and Information Integrity (SI)

What is Maturity Level 2?

CMMC Maturity Level 2 is entities within the Defense Industrial Base (DIB) that handle or process the following types of data:

  • Controlled Unclassified Information (CUI) / Covered Defense Information (CDI)
  • Controlled Technical Information (CTI)
  • International Traffic in Arms Regulations (ITAR) Data
 

Much of the DIB is going to require meeting level 2 requirements. Level 2 covers all 14 domains that are apart of CMMC. Of these 14 domains there are 110 practices that must be adhered to.

What do I do?

Each maturity level in the CMMC framework has different control requirements. These control requirements do not overlap but build on each other. As your organization’s cybersecurity maturity level increases it is not necessary to modify previous controls that were implemented in lower maturity levels. The process of creating policies and implementing the controls for each maturity level follows the same pattern.

  1. Identify the CMMC Assessment Scope
  2. Create policies and procedures that outline controls to be implemented
  3. Implement the controls outlined in policies and procedures
  4. Perform Self-Assessment
  5. 3rd Party Assessment (if required)
  6. Ongoing Cybersecurity & Data Privacy Program Governance

Data Type Considerations

The reality of security and data protection controls is that control implementation equates to an incurred cost by an organization, so it makes financial sense for organizations to understand where controls must be implemented to avoid “blanket coverage” for implementing controls that could be cost-prohibitive. Considerations regarding each data type can help with this.

CONTROLLED UNCLASSIFIED INFORMATION (CUI)  

If you are unsure what CUI data is, you are highly-encouraged to visit the US government’s authoritative source on CUI, the US Archive’s CUI Registry - https://www.archives.gov/cui/registry/category-list. However to help prevent making everything CUI, per Section 3(b) of Executive Order 13556, "if there is significant doubt about whether information should be designated as CUI, it shall not be so designated."

DFARS 252.204-7012 establishes the need to protect CUI by providing "adequate” protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. This DFARS clause requires compliance with NIST SP 800-171 on all “Covered Contractor Information Systems.”

  • Covered Contractor Information System (CCIS) means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits “Covered Defense Information.”
  • Covered Defense Information (CDI) means unclassified "Controlled Technical Information" or other information, as described in sensitive data Registry.
  • Controlled Technical Information (CTI)
means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.

Examples of technical information include, but are not limited to:

  • Research and engineering data
  • Engineering drawings
  • Associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and
  • Computer software executable code and source code.

NIST SP 800-171 requires private companies to protect the confidentiality of CUI where it is stored, transmitted and/or processed. The CUI requirements within NIST SP 800-171 are directly linked to NIST SP 800-53 MODERATE baseline controls and are intended for use by federal agencies in contracts or other agreements established between those agencies and government/DoD contractors.

FEDERAL CONTRACT INFORMATION (FCI)

FCI is a very broad data classification category. Federal Acquisition Regulation (FAR) 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, lists fifteen (15) cybersecurity requirements.[1] These requirements form the basis of Cybersecurity Maturity Model Certification (CMMC) Level 1 practices. In addition to these, there are two (2) practices included from NIST SP 800-171.

Per FAR 52.204-21, FCI is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”

FCI includes any communication or representation of knowledge such as:

  • Facts
  • Data
  • Opinions

FCI can be in any medium or form, including:

  • Textual
  • Numerical
  • Graphic
  • Cartographic
  • Narrative
  • Audiovisual

INTELLECTUAL PROPERTY (IP)

Not all IP is equally valued by organizations, so it is important for an organization to develop a data classification scheme to appropriately protect its IP. Data classification schemes allow an organization to prioritize controls around “crown jewels” IP that are essential to the viability of its business model, as compared to low value IP that requires less-stringent security protections.

Per the World Trade Organization (WTO), IP can be defined in several ways:

  • Copyright and rights related to copyright (e.g., literary, and artistic works); and
  • Industrial property:
    • Trademarks
    • Patents
    • Industrial designs
    • Trade secrets

EXPORT-CONTROLLED DATA

Per 15 CFR § 730-774, the U.S. Department of Commerce regulates the export of “dual use” items according to the Export Administration Regulations (EAR). EAR items include goods and related technology, including technical data and technical assistance, which are designed for commercial purposes, but which could have military applications.

The list of EAR-controlled items, commonly referred to as the Commerce Control List (CCL).[2] The CCL categorizes these covered items into 10 broad categories:

  1. Nuclear Materials, Facilities and Equipment, and Miscellaneous
  2. Materials, Chemicals, Microorganisms, and Toxins
  3. Materials Processing
  4. Electronics
  5. Computers
  6. Telecommunications and Information Security
  7. Lasers and Sensors
  8. Navigation and Avionics
  9. Marine
  10. Propulsion Systems, Space Vehicles, and Related Equipment

EAR covers a broad range of categories:

  • “Technical Data” may take forms such as:
    • Blueprints
    • Plans
    • Diagrams
    • Models
    • Formulae
    • Tables
    • Engineering designs and specifications; and
    • Manuals and instructions.
  • “Technical Assistance” may take forms such as:
    • Instruction
    • Skills training; and
    • Consulting services.

Within EAR, there are country-specific restrictions:

  • D:1 (National Security)
  • D:2 (Nuclear)
  • D:3 (Chemical & Biological)
  • D:4 (Missile Technology)
  • D:5 (US Arms Embargoed Countries)
  • E:1 (Terrorist Supporting Countries)
  • E:2 (Unilateral Embargo)

CRITICAL INFRASTRUCTURE INFORMATION (CII)

Per Section 671(3) of the Critical Infrastructure Information Act of 2002 (6 U.S.C 131(3)), CII is defined as information not customarily in the public domain and related to the security of critical infrastructure or protected systems:

  1. Actual, potential, or threatened interference with, attack on, compromise of, or incapacitation of critical infrastructure or protected systems by either physical or computer-based attack or other similar conduct (including the misuse of or unauthorized access to all types of communications and data transmission systems) that violates Federal, State, or local law, harms interstate commerce of the United States, or threatens public health or safety.
  2. The ability of any critical infrastructure or protected system to resist such interference, compromise, or incapacitation, including any planned or past assessment, projection, or estimate of the vulnerability of critical infrastructure or a protected system, including security testing, risk evaluation thereto, risk management planning, or risk audit.
  3. Any planned or past operational problem or solution regarding critical infrastructure or protected systems, including repair, recovery, reconstruction, insurance, or continuity, to the extent it is related to such interference, compromise, or incapacitation.

[1] FAR 52.204-21 - https://www.acquisition.gov/content/52204-21-basic-safeguarding-covered-contractor-information-systems

[2] Commerce Control List - https://www.bis.doc.gov/index.php/regulations/commerce-control-list-ccl