CMMC Security and Compliance Requirements
CMMC 2.0 (Cybersecurity Maturity Model Certification) requirements are mandated for organizations in the defense industrial base (DIB) to ensure that federal contract information (FCI) and controlled unclassified information (CUI) are protected.
The stated objectives for CMMC 2.0 (and similar defense-related requirements) include:
- Contributing to a collaborative culture of cybersecurity and cyber resilience.
- Protecting privileged defense-related data across the supply chain.
- Dynamically enhancing DIB cybersecurity to meet evolving cyber-threats.
- Ensuring contractors’ and subcontractors’ accountability, while minimizing barriers to compliance, by specifying the U.S. Department of Defense’s (DoD’s) requirements.
- Maintaining public trust of the DIB through high professional and ethical standards.
- Safeguarding sensitive information, which can have significant value to U.S. adversaries.
Originally launched in 2020, CMMC version 1.0 was updated to CMMC 2.0 in November 2021. The updated CMMC requirements in version 2.0 reflected hundreds of public comments from the DIB community, the U.S. Congress, and other stakeholders. CMMC 2.0’s requirements were further clarified by a Proposed Rule from the DoD in December 2023.
As CMMC 2.0 has evolved over the years, drivers for improvement have included the following:
- Reducing organizations’ potential costs to meet CMMC requirements.
- Increasing overall trust in the CMMC assessment ecosystem.
- Continuing to align CMMC requirements with commonly accepted cybersecurity standards.
Let’s jump in and learn:
What are CMMC Requirements?
CMMC requirements must be adhered to by DIB contractors and subcontractors in the DoD supply chain. As a result, CMMC directly impacts hundreds of thousands of organizations that work with the DoD. Assessment requirements by CMMC level can be recapped as follows: At CMMC 2.0 compliance Level 1, self-assessments are deemed an acceptable form of verification that organizations are adhering to the requirement.
At CMMC Level 2 , a third-party assessment organization (C3PAO) is required to conduct an assessment and determine if the organization qualifies for certification. At CMMC Level 3, the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will perform an assessment of CMMC Level 3 security requirements in accordance with NIST SP 800-172A for information systems within the Level 3 CMMC Assessment Scope, determined in accordance with § 170.19. The assessment will be scored in accordance with the CMMC Scoring Methodology set forth in § 170.24 and final results are subsequently communicated to the Organization Seeking Certification (OSC) through a CMMC Assessment Findings Report.
In the execution of the CMMC Level 3 Certification Assessment, DCMA DIBCAC may perform checks of CMMC Level 2 security requirements in accordance with CMMC Level 3 scoping. If DCMA DIBCAC identifies that a Level 2 security requirement is not met, the Level 3 assessment process may be placed on hold or terminated.
CMMC Compliance Requirements and Regulations
While CMMC’s requirements are closely aligned with several National Institute of Standards and Technology (NIST) special publications, NIST and CMMC requirements are not completely identical. Rather, CMMC’s requirements are inspired by NIST’s standards and take inspiration from other frameworks that are detailed below.
Following is a summary of the cybersecurity frameworks that have influenced CMMC’s requirements:
At a Glance: Other Frameworks and Cybersecurity Principles Included in CMMC CMMC Level 1 FAR 52.204.21: Basic Safeguarding of Covered Contractor Information Systems CMMC Level 2 FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems NIST SP 800-171 Rev. 2 CMMC Level 3 (Note: As of June 2024, requirements for CMMC 2.0 Level 3 are still being finalized). FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems NIST SP 800-171 Rev. 2 NIST SP 800-172 Rev. 2 NIST SP 800-53 DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements DFARS 252.204-7020: NIST SP 800-171 DoD Assessment Requirements DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements ISO/IEC 27002: Standard that’s focused on Information Security Controls CERT Resilience Management Model (CERT RMM v1.2) CIS Critical Security Controls (CIS CSC v7.1) |
Here’s a brief overview of each of the standards, in the order that they’re presented in the chart above. You can click on the links for each of the standards in the chart above, if you’d like additional details.
- FAR 52.204-21:
Specifies 15 security requirements that DIB suppliers and contractors need to implement, in order to safeguard information that’s classified as FCI or CUI. - NIST SP 800-171 Rev. 2:
Provides recommended requirements for protecting the confidentiality of CUI. - NIST SP 800-172 Rev. 2:
Enhances security requirements for protecting the confidentiality of CUI when: (1) the information is resident in non-federal systems and organizations; (2) the non-federal organization is not collecting or maintaining information on behalf of a federal agency, or using or operating a system on behalf of an agency; and (3) there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category that’s listed in the CUI Registry. - NIST SP 800-53:
Defines the minimum security controls for all federal information systems, except for those related to national security. - DFARS 252.204-7012:
Requires DIB suppliers and contractors to provide “adequate security” for covered defense information that is processed, stored, or transmitted on the contractor’s internal information system or network.
- DFARS 252.204-7019:
Requires DIB suppliers and contractors to correctly report and maintain their self-assessments concerning compliance with the NIST SP 800-171 cybersecurity framework under DFARS 252.204-7012. - DFARS 252.204-7020:
Informs DIB suppliers and contractors that the DoD has the right to access “facilities, systems and personnel” that manage, process, store, or transmit controlled unclassified information in the event the DoD deems it necessary to perform a Medium or High-level Assessment. - DFARS 252.204-7021:
- Details the CMMC framework, which measures a contractor’s cybersecurity maturity, including implementation of cybersecurity practices and institutionalization of those processes.
- ISO/IEC 27002:
Includes a collection of information security guidelines that are intended to help organizations implement, maintain, and improve information security management. - CERT RMM v1.2:
Provides DIB suppliers and contractors with the CERT Resilience Management Model’s (CERT-RMM) process areas, generic goals/ practices, glossary, and relevant acronyms. - CIS CSC v7.1:
Gives DIB suppliers and contractors a prioritized set of best practices to improve their cybersecurity posture.
CMMC Security Requirements
CMMC 2.0 requirements at Level 1 include 17 security practices (sometimes referred to as controls) under 6 domains, and are recapped below.
1. Access Control (A.C.) | 4 practices |
2. Identification and Authentication (I.A.) | 2 practices |
3. Media Protection (M.P.) | 1 practice |
4. Physical Protection (P.E.) | 4 practices |
5. System and Communication Protections (S.C.) | 2 practices |
6. System and Information Integrity (S.I.) | 4 practices |
CMMC 2.0 requirements at Level 2 include 110 practices (again, sometimes referred to as controls) grouped under 14 domains, which can be summarized as follows:
1. Access Control (A.C.) | 22 practices |
2. Awareness Training (AT) | 3 practices |
3. Audit and Accountability (A.U.) | 9 practices |
4. Configuration Management (CM) | 9 practices |
5. Identification and Authentication (I.A.) | 11 practices |
6. Incident Response (I.R.) | 3 practices |
7. Maintenance (M.A.) | 6 practices |
8. Media Protection (M.P.) | 9 practices |
9. Personnel Security (P.S.) | 2 practices |
10. Physical Protection (P.E.) | 6 practices |
11. Risk Assessment (R.A.) | 3 practices |
12. Security Assessment (S.A.) | 4 practices |
13. System and Communications Protection (S.C.) | 16 practices |
14. System and Information Integrity (S.I.) | 7 practices |
CMMC 2.0 requirements for Level 3 are still being finalized, as of June 2024.
CMMC Requirements Embody Security Best Practices
The DoD considers CMMC requirements a critical part of its defense against cyber threats that continue to grow in volume and sophistication. While organizations must invest significant time, money, and discipline to adhere to the CMMC requirements, the result is better cybersecurity and the certification needed to bid on DoD contracts.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 22,000+ customers with millions of users worldwide.
Last Updated: 17th June, 2024