Department of Defense & CMMC
The U.S. Department of Defense (DoD) and CMMC go hand in hand. The CMMC, or Cybersecurity Maturity Model Certification, is a compliance program created by the DoD. The primary objective of the DoD’s CMMC program is to make it easier and less expensive for the defense industrial base (DIB) to do business with the DoD, by mandating uniform cybersecurity standards.
DoD CMMC eliminates cumbersome and disparate security requirements to facilitate the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). It will also help the DoD to objectively evaluate contractors’ cybersecurity capabilities, readiness, and levels of cyber-protection.
A collection of cybersecurity standards and best practices, DoD CMMC defines security requirements according to three cybersecurity maturity levels. The scale ranges from Level 1- for organizations that only manage FCI- to Level 3 for organizations that manage the DoD’s most sensitive data.
Receiving certification at each level of DoD CMMC means that organizations have met and adhere to baseline security controls. DoD CMMC controls are based largely on other frameworks and inputs from existing cybersecurity standards, including the National Institute of Standards and Technology (NIST), Federal Acquisition Regulation (FAR), and Defense Federal Acquisition Regulation Supplement (DFARS).
Let’s jump in and learn:
What Is Controlled Unclassified Information (CUI)?
Established by Executive Order 13556 in 2010, the CUI program standardizes how the entire Executive branch handles unclassified information. Any unclassified information created or possessed by the government or any entity that works with the government must follow the rules for CUI.
According to the Executive Order, CUI is “information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified.”
Since the DoD is an agency within the Executive branch of the U.S. government, CUI requirements apply to it, and to all contractors and subcontractors in the Defense Industrial Base (DIB). In the case of DIB, the DoD must ensure that CUI is not lost to cybercriminals who target smaller contractors and non-government organizations (NGOs) because they often don’t have large cybersecurity teams with sizable security budgets. Hence, DoD CMMC details security measures that are focused on safeguarding CUI.
DoD & CMMC Requirements
The DoD cybersecurity requirements revolve around CMMC security controls or requirements that are defined for each level.
- DoD CMMC Level 1 has 15 security requirements that are aligned with FAR 52.204-21.
- DoD CMMC Level 2 contains 110 requirements that are aligned with NIST SP 800-171 Rev. 2.
- The most stringent requirements apply to DoD CMMC Level 3. Level 3 includes the 110 requirements that comprise CMMC Level 2, along with 24 additional requirements from NIST SP 800-172.
DoD Cybersecurity
As with any organization, DoD cybersecurity is only as strong as its weakest link. CMMC drives DoD cybersecurity best practices and processes into the DIB community. By requiring those organizations to adhere to DoD’s cybersecurity standards, DoD CMMC maintains the quality and efficacy of security throughout its supply chain.
DoD Cybersecurity Maturity Model Certification
To work with or sell products to the DoD, thousands of organizations must certify compliance with DoD CMMC’s requirements. The processes and requirements for certification vary based on the DoD CMMC level.
Over time, the different CMMC levels will be noted on all DoD RFPs. DoD CMMC Level 1 is the minimum requirement for any organization that wants to work with the DoD. For contracts that involve the handling of CUI, an organization must have at least a DoD CMMC Level 2 certification to qualify.
An organization should assess the types of contracts it wants to pursue and procure any required certifications for those DoD CMMC levels. Since the bidding process for these contracts can be onerous, organizations are encouraged to conduct a pre-assessment of their security preparedness against their required DoD CMMC level.
Self-assessments are sufficient for DoD CMMC Level 1, but an assessment by a Certified Third-Party Assessment Organization (C3PAO) is required for DoD CMMC Level 2.
A C3PAO is authorized to provide assessments to organizations that are applying for DoD CMMC certification. As part of the certification process, the C3PAO verifies and validates that the organization has implemented cybersecurity controls as required by its specified DoD CMMC level. Based on the evaluation, the C3PAO provides a pass or fail recommendation and documents deficiencies.
The organization will have a limited time period to remediate issues that are identified during the assessment. If the requirements are met, a certificate of compliance is issued according to the DoD CMMC level of qualification that the organization has achieved. The DoD CMMC qualification certificate will be valid for three years, after which the organization must undergo another assessment to be recertified.
Formal certification for CMMC Level 3 is conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
DoD Cybersecurity in DIB Supply Chain
With DoD CMMC, cybersecurity requirements for the DIB supply chain are amplified, but the process is more streamlined. Rather than have organizations struggle to meet disparate requirements from different agencies within the DoD, CMMC provides a unified approach to cybersecurity.
With revisions to DoD CMMC that have occurred over time, the burden is further reduced by aligning the requirements with federal guidelines that are utilized by other agencies outside of DoD, such as:
- National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) Rev. 2
- NIST SP 800-172
- 48 Code of Federal Regulations 52.204-21 (48 CFR 52.204-21), commonly referred to as the FAR Clause or FAR 52.204-21
While considered to be stringent, DoD CMMC’s standards maximize the safety and security of CUI and FCI, while increasing organizations’ overall security posture and their defense against ongoing cyberattacks by nation-states and cyber-criminals.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 18th November, 2024