The CMMC represents the U.S. Department of Defense’s sustained effort to protect Controlled Unclassified Information (CUI) in the defense supply chain. Building on the 110 controls set forth in NIST SP 800-171, the
CMMC specifies 171 security practices across five maturity processes. While the CMMC is not part of FAR or DFARS, it will be included as a requirement in certain DoD contracts beginning in 2021.

Introduction

The U.S. DoD created the CMMC as part of its effort to improve cybersecurity assurance and accountability throughout the defense supply chain. The CMMC ecosystem is managed by the CMMC Accreditation Body (“CMMC-AB”) on behalf of the DoD. The CMMC-AB trains and certifies provider organizations and professionals to perform CMMC related services and certification assessments.

Requirements

Contractors receiving Federal Contract Information (FCI) must be certified to CMMC Level 1. Contractors receiving or creating Controlled Unclassified Information (CUI) must be certified to Level 3. Certain contractors receiving or creating highly-sensitive CUI, especially Controlled Technical Information (CTI), may require certification to Level 4 or 5.

As a maturity model, the CMMC adds practices and processes over each of its five levels set forth as follows:

LevelDescriptionProcessPractices
1Basic Cyber HygienePerformed17
2Intermediate Cyber HygieneDocumented72
3Good Cyber HygieneManaged130
4ProactiveReviewed156
5Advanced/ProgressiveOptimizing171

To be certified to a particular level, a contractor must demonstrate that it has implemented and is consistently performing each of the required practices. Unlike compliance with DFARS 252.204-7012, remediation of compliance gaps via a “Plan of Action & Milestones” (PoAM) is not permitted under CMMC. Rather, only minor fixes may be permitted by an assessor following an assessment.

Compliance Tip: Assessors are expected to review two forms of objective evidence to confirm that each practice is implemented and performed. Such evidence may consist of an interview with the person responsible for such practice and an artifact.

Enforcement & Liability

Decisions regarding certification are the purview of the CMMC-AB, including as to any appeals related to non-certification. However, non-compliance with federal contract requirements are enforced by the U.S. Department of Justice under the False Claims Act (FCA) and DoD may take other punitive actions regarding non-compliant contractors.