CMMC Compliance FAQs: What Do Contractors Need to Know?

Cybersecurity risks continuously rock Americans’ confidence in the government’s ability to protect online data. As cyberattacks continue to rise, the U.S. Department of Defense has shifted its approach by creating the Cybersecurity Maturity Model Certification. The CMMC, currently part of a phased rollout, will soon become a requirement for any businesses hoping to do business with the DOD.

1. What is CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification” and will soon become the standard for any businesses working with the U.S. Department of Defense. Since vendors and businesses working alongside the DOD deal with varying types of unclassified information, the CMMC framework consists of five scalable levels. With so many vendors working with the DOD in various capacities and across various supply chains, the CMMC compliance framework provides peace of mind when hiring businesses that must handle sensitive and unclassified information.

A business or vendors’ cybersecurity requirements depend on their level of certification.

• Level 1: Businesses must follow “basic cyber hygiene” practices. These range from implementing antivirus software to ensuring all staff members change their passwords often to protect confidential information. Businesses with Level 1 certification do not deal with Controlled Unclassified Information.
• Level 2: Businesses must follow “intermediate cyber hygiene” practices to handle rudimentary Controlled Unclassified Information. To reach level 2 certification, businesses must follow some of the requirements from the U.S. Department of Commerce National Institute of Standards and Technology’s Special Publication 800-171 Revision 2 (NIST 800-171 r2).
• Level 3: Businesses must adhere to “good cyber hygiene” practices. Any businesses with certification on Level 3 or above can handle more advanced Controlled Unclassified Information. They must implement all security requirements found within NIST 800-171 r2.
• Level 4: Businesses must prove expertise in dealing with advanced persistent threats. The DOD defines advanced persistent threats, also called APTs, as any cyber adversary capable of sophisticated attacks from multiple angles. Businesses earn this certification by being able to prove their effectiveness in detecting and preventing cyberattacks.
• Level 5: This is the highest level of certification for businesses working with the DOD. To earn this certification, businesses must implement standardized processes to automatically detect and react to APTs or other cyberattacks.

2. Why Are We Shifting to CMMC?

By 2025, all businesses hoping to work with the U.S. Department of Defense must obtain a CMMC certification. This new approach allows the DOD to enhance a cybersecurity approach stemming from the Defense Industrial Base sector.

The DOD will also form a CMMC Accreditation Body that will be responsible for performing CMMC audits and ensuring all businesses adhere to their level of certification.

3. What is Controlled Unclassified Information?

Controlled Unclassified Information, also called CUI, refers to any data or information owned by the federal government or Department of Defense. It also includes all information created specifically for the government and requires involved parties to adhere to a higher level of cybersecurity. This means that any business handling CUI must be certified on a higher level of CMMC – usually either Level 3, 4 or 5.

CUI can fall into a myriad of categories, from legal and financial to intelligence and infrastructure.

4. What’s the Timeline for CMMC?

Since CMMC Certification is so new, the U.S. Department of Defense has implemented a phased rollout running from 2021 to 2025. Until the rollout process is complete, the Office of the Under Secretary of Defense for Acquisition and Sustainment must personally approve any changes to the CMMC structure.

In 2021, the first year of the rollout, the DOD will only require fifteen businesses to adhere to CMMC certification. They plan to focus on smaller businesses that deal with Certified Unclassified Information and need certification for Level 3 or higher. For subsequent years, they will focus on adding in more businesses with Level 4 or 5 certification levels. They plan to complete the rollout process by September 30, 2025.

Once obtained, a CMMC certification will be valid for three years.