CMMC Security and Compliance Requirements
CMMC (Cybersecurity Maturity Model Certification) requirements are mandated for organizations in the defense industrial base (DIB) to ensure that federal contract information (FCI) and controlled unclassified information (CUI) are protected. Among the stated objectives for the CMMC requirements are:
- Contribute towards instilling a collaborative culture of cybersecurity and cyber resilience.
- Dynamically enhance DIB cybersecurity to meet evolving threats.
- Ensure accountability while minimizing barriers to compliance with U.S. Department of Defense (DoD) requirements.
- Maintain public trust through high professional and ethical standards.
- Safeguard sensitive information to enable and protect sensitive information.
Launched on January 1, 2020, CMMC version 1.0 was recalled, and version 2.0 was issued in 2021. The CMMC requirements in version 2.0 reflect more than 850 public comments from the DIB, Congress, and other stakeholders. The key takeaways were that the first version needed to be updated to:
- Reduce organizations’ costs to meet CMMC requirements
- Increase trust in the CMMC assessment ecosystem
- Align CMMC requirements with other federal requirements and commonly accepted standards
What are CMMC Requirements?
CMMC requirements must be adhered to by all individuals and DIB organizations in the DoD supply chain. This includes hundreds of thousands of suppliers, contractors, and subcontractors that work with the DoD.
At the lowest level, CMMC Level 1, self-assessments are deemed acceptable forms of verification that organizations are adhering to the requirements. At CMMC Level 3 and CMMC Level 3, a private third-party assessment organization (C3PAO) is required to conduct an audit and determine if the organization qualifies for certification.
The CMMC Accreditation Body (CMMC-AB) has established a process to qualify private C3PAO and assessors to determine CMMC levels.
The U.S. Department of Defense authorizes the CMMC Accreditation Body to be the sole authoritative source for operationalizing CMMC Assessments and Training with the DOD contractor community or other communities that may adopt the CMMC.
The CMMC-AB operates under an exclusive contract with the DoD that charges and authorizes the CMMC-AB to serve as the sole provider of CMMC licensing and certification for C3PAOs, Training Providers, Instructors, and Assessors.
Source: The CMMC Accreditation Body
CMMC Compliance Requirements and Regulations
While CMMC requirements are closely aligned with NIST, the two are not synonymous. CMMC requirements include quite a bit of inspiration from NIST, but also from other frameworks. Following is a summary of the
frameworks that are included in the CMMC.
|At a Glance: Other Frameworks and Cybersecurity Principles Included in CMMC|
CMMC Level 1
CMMC Level 2
NIST SP 800-171 controls
CMMC Level 3
CERT RMM v1.2
CIS Critical Security Controls (CSC) 7.1
DFARS 70s (7012, 7019, 7020, 7021)
NIST SP 800-53
NIST SP 800-171
NIST SP 800-172
CUI (Controlled Unclassified Information) Controls
NFO (Non-Federal Organization) Controls
- CERT RMM v1.2
Provides DIB suppliers and contractors with the CERT Resilience Management Model’s (CERT-RMM) process areas, generic goals and practices, glossary, and acronyms
- CIS CSC 7.1
Gives DIB suppliers and contractors a prioritized set of best practices to use to improve their cybersecurity posture
- DFARS 7012
Requires DIB suppliers and contractors to provide “adequate security” for covered defense information that is processed, stored or transmitted on the contractor’s internal information system or network
- DFARS 7019
Requires DIB suppliers and contractors to correctly report and maintain their self-assessments concerning compliance with the NIST 800-171 cybersecurity framework under DFARS 7012
- DFARS 7020
Informs DIB suppliers and contractors that the DoD has the right to access “facilities, systems and personnel” that manage, process, store, or transmit controlled unclassified information in the event the DoD deems it necessary to perform a Medium or High Assessment on them
- FAR 52.204-21
Specifies 15 security requirements that DIB suppliers and contractors have to implement to safeguard a category of information classified as FCI or CUI
- ISO 27002
Includes a collection of information security guidelines that are intended to help an organization implement, maintain, and improve its information security management
- NIST SP 800-53
Defines the minimum security controls for all federal information systems except those related to national security
- NIST SP 800-171
Provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI)
- NIST SP 800-172
Enhances security requirements for protecting the confidentiality of CUI: (1) when the information is resident in nonfederal systems and organizations; (2) when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and (3) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry
CMMC Security Requirements
CMMC requirements at Level 1 include 17 security controls under 6 domains.
|1. Access Control (A.C.)||4 controls|
|2. Identification and Authentication (I.A.)||2 controls|
|3. Media Protection (M.P.)||1 control|
|4. Physical Protection (P.E.)||4 controls|
|5. System and Communication Protections (S.C.)||2 controls|
|6. System and Information Integrity (S.I.)||4 controls|
CMMC requirements at Level 2 include 110 controls grouped under 14 domains and
|1. Access Control (A.C.)||22 controls|
|2. Awareness Training (AT)||3 controls|
|3. Audit and Accountability (A.U.)||9 controls|
|4. Configuration Management (CM)||9 controls|
|5. Identification and Authentication (I.A.)||11 controls|
|6. Incident Response (I.R.)||3 controls|
|7. Maintenance (M.A.)||6 controls|
|8. Media Protection (M.P.)||9 controls|
|9. Personnel Security (P.S.)||2 controls|
|10. Physical Protection (P.E.)||6 controls|
|11. Risk Assessment (R.A.)||3 controls|
|12. Security Assessment (S.A.)||4 controls|
|13. System and Communications Protection (S.C.)||16 controls|
|14. System and Information Integrity (S.I.)||7 controls|
CMMC requirements at Level 3 include 130 controls grouped under 16 domains and those under CMMC Levels 1 and 2.
|1. Access Control (A.C.)||8 controls|
|2. Asset Management||1 control|
|3. Audit and Accountability||7 controls|
|4. Awareness Training (A.T.)||1 control|
|5. Configuration Management (C.M.)||3 controls|
|6. Identification and Authentication (I.A.)||4 controls|
|7. Incident Response (I.R.)||2 controls|
|8. Maintenance (M.A.)||2 controls|
|9. Media Protection (M.P.)||4 controls|
|10. Physical Protection||6 controls|
|11. Recovery||1 control|
|12. Risk Assessment (R.A.)||3 controls|
|13. Security Assessment (S.A.)||2 controls|
|14. Situational Awareness||1 control|
|15. System and Communications Protection (S.C.)||15 controls|
|16. System and Information Integrity (S.I.)||3 controls|
CMMC Requirements Embody Security Best Practices
The DoD considers CMMC requirements a critical part of its defense against cyber threats that continue to grow in volume and sophistication. While organizations must invest significant time, money, and discipline to adhere to the CMMC requirements, the result is better cybersecurity and the certification needed to bid on DoD contracts.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 2nd August, 2022