The 32 CFR Part 170 CMMC rule is final and posted HERE.

About CMMC

Cybersecurity is a top priority for the Department of Defense (DoD). The defense industrial base (DIB) faces increasingly frequent, and complex cyberattacks. To strengthen DIB cybersecurity and better safeguard DoD information, the DoD developed the Cybersecurity Maturity Model Certification (CMMC) Program to assess existing DoD cybersecurity requirements.

 

Overview of the CMMC Program

The CMMC Program aligns with the DoD’s existing information security requirements for the DIB. It is designed to enforce the protection of sensitive unclassified information shared by the Department with its contractors and subcontractors. The program provides the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for nonfederal systems processing controlled unclassified information.

Key features of the CMMC Program:

  • Tiered Model: CMMC requires companies entrusted with sensitive unclassified DoD information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also outlines the process for requiring protection of information flowed down to subcontractors.
  • Assessment Requirement: CMMC assessments allow the DoD to verify DIB implementation of existing cybersecurity standards.
  • Implementation through Contracts: DoD contractors and subcontractors handling sensitive unclassified DoD information must achieve a specific CMMC level as a condition of contract award.

Protected Information

The CMMC model is designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared with defense contractors and subcontractors during contract performance.

  • Federal Contract Information (FCI): As defined in section 4.1901 of the Federal Acquisition Regulation (FAR), FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, excluding information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.”
  • Controlled Unclassified Information (CUI): As outlined in Title 32 CFR 2002.4(h), CUI is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” For more information regarding specific CUI categories and subcategories, see the DoD CUI Registry website.

Overview of Assessments

The CMMC Program provides assessments at three levels, each incorporating security requirements from existing regulations and guidelines.

Level 1: Basic Safeguarding of FCI

  • Requirements: Annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21.

Level 2: Broad Protection of CUI

  • Requirements:
    1. Either a self-assessment or a C3PAO assessment every three years, as specified in the solicitation.
      • Decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems.
    2. Annual affirmation, verify compliance with the 110 security requirements in NIST SP 800-171 Revision 2.

Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats

  • Requirements:
    1. Achieve CMMC Status of Final Level 2.
    2. Undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
    3. Provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.

 

CMMC Status Source & Number of Security Reqts. Assessment Reqts. Plan of Action & Milestones (POA&M) Reqts. Affirmation Reqts.
Level 1
(Self)
  • 15 required by FAR clause 52.204-21
  • Conducted by Organization Seeking Assessment (OSA) annually
  • Results entered into the Supplier Performance Risk System (SPRS)
  • Not permitted
  • After each assessment
  • Entered into SPRS
Level 2
(Self)
  • 110 NIST SP 800-171 R2 required by DFARS clause 252.204-7012
  • Conducted by OSA every 3 years
  • Results entered into SPRS
  • CMMC Status will be valid for three years from the CMMC Status Date as defined in § 170.4
  • Permitted as defined in § 170.21(a)(2) and must be closed out within 180 days
  • Final CMMC Status will be valid for three years from the Conditional CMMC Status Date
  • After each assessment and annually thereafter
  • Assessment will lapse upon failure to annually affirm
  • Entered into SPRS
Level 2
(C3PAO)
  • 110 NIST SP 800-171 R2 required by DFARS clause 252.204-7012
  • Conducted by C3PAO every 3 years
  • Results entered into CMMC Enterprise Mission Assurance Support Service (eMASS)
  • CMMC Status will be valid for three years from the CMMC Status Date as defined in § 170.4
  • Permitted as defined in § 170.21(a)(2) and must be closed out within 180 days
  • Final CMMC Status will be valid for three years from the Conditional CMMC Status Date
  • After each assessment and annually thereafter
  • Assessment will lapse upon failure to annually affirm
  • Entered into SPRS
Level 3
(DIBCAC)
  • 110 NIST SP 800-171 R2 required by DFARS clause 252.204-7012
  • 24 selected from NIST SP 800-172 Feb2021, as detailed in table 1 to § 170.14(c)(4)
  • Pre-requisite CMMC Status of Level 2 (C3PAO) for the same CMMC Assessment Scope, for each Level 3 certification assessment
  • Conducted by DIBCAC every 3 years
  • Results entered into CMMC eMASS
  • CMMC Status will be valid for three years from the CMMC Status Date as defined in § 170.4
  • Permitted as defined in § 170.21(a)(3) and must be closed out within 180 days
  • Final CMMC Status will be valid for three years from the Conditional CMMC Status Date
  • After each assessment and annually thereafter
  • Assessment will lapse upon failure to annually affirm
  • Level 2 (C3PAO) affirmation must also continue to be completed annually
  • Entered into SPRS

 

CMMC Post-Assessment Remediation: Plans of Actions and Milestones

The CMMC Program allows limited use of Plans of Action and Milestones (POA&Ms).

  • Level 1: POA&Ms are not permitted.
  • Level 2 and Level 3: Refer to §170.21 of the 32 CFR CMMC Program final rule for POA&M requirements, including critical requirements that cannot be included in a POA&M.

A POA&M closeout assessment is a CMMC assessment that evaluates only the NOT MET requirements identified in the initial assessment. The closing of a POA&M must be confirmed by a POA&M closeout assessment within 180 days of the Conditional CMMC Status Date. If the POA&M is not successfully closed out within this timeframe, the Conditional CMMC Status for the information system will expire.

  • Level 2 Self-Assessment: The POA&M closeout self-assessment shall be performed by the OSA in the same manner as the initial self-assessment.
  • Level 2 Certification Assessment: The POA&M closeout certification assessment must be performed by an authorized or accredited C3PAO.
  • Level 3 Certification Assessment: The POA&M closeout certification assessment will be performed by DCMA DIBCAC.

CMMC Implementation

The CMMC Program implementation date is 60 days after the publication of the final Title 48 CFR CMMC acquisition rule. CMMC assessment requirements will be implemented using a four-phase plan over three years. The phases add CMMC Level requirements incrementally, starting with self-assessments in Phase 1 and ending with full implementation of program requirements in Phase 4. This phased approach allows time to train assessors and for companies to understand and implement CMMC assessment requirements.

CMMC Implementation Diagram

 

In some procurements, DoD may implement CMMC requirements in advance of the planned phase