What is CMMC Compliance and Why is it Important to Contract Manufacturers?

CMMC 2.0 (Cybersecurity Maturity Model Certification)

CMMC (Cybersecurity Maturity Model Certification) is a framework designed to protect Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB). It establishes cybersecurity standards and requires third-party assessments to ensure compliance. CMMC 2.0, the latest version, simplifies the framework into two maturity levels, aligning with NIST standards. Organizations handling CUI must achieve the appropriate CMMC level to maintain contracts with the Department of Defense.

The U.S. Department of Defense (DOD) has long questioned whether contractors and their supply chains have fully complied with existing cybersecurity requirements to protect Controlled Unclassified Information (CUI), namely the 110 cybersecurity controls required by DFARS 252.204-7012. Because of that, the DOD will now require third-party verification that contractors meet existing DOD cybersecurity standards when they have CUI. Other contractors with?Federal Contract Information (FCI)?must self-assess against 15 Federal Acquisition Regulation (FAR) 52.204-21 controls and self-certify compliance with DOD.

Federal Contract Information (FCI) and the Levels of CMMC?

FCI is a type of sensitive information provided by or generated for the U.S. government under a contract to develop or deliver a product or service. It’s important to note that FCI does not include information that is publicly available, such as information on government websites or simple transactional data.

The level of CMMC compliance required for an organization depends on the sensitivity of the FCI it handles. Lower-level CMMC certifications may be sufficient for organizations handling less sensitive FCI, while higher-level certifications are required for organizations handling more sensitive FCI.

CMMC Level 1 exists to protect (FCI) Federal Contract Information

This is the simplest level of CMMC. It contains the 17 cybersecurity practices that make up Foundational cybersecurity.

These practices come from the?Federal Acquisition Regulation, or FAR, which applies to all government contracts. Technically, all government contracts already require this basic level of cybersecurity. Under CMMC 2.0, Level 1 companies will now require an annual self-assessment submitted to the Supplier Performance Risk System (SPRS) and affirmed by company leadership.

CMMC Level 2 exists to Protect (CUI) Controlled Unclassified Information

This level contains the 110 cybersecurity practices that make up Advanced cybersecurity.

Key requirements of CMMC Level 2 include:

• Access Control: Implementing strong access controls to limit access to authorized personnel.?
• Awareness and Training: Providing regular security awareness and training to employees.
• Security Controls: Implementing a variety of security controls, such as firewalls, intrusion detection systems, and encryption. ?
• Incident Response: Developing and maintaining an incident response plan.
• Risk Assessment: Conduct regular risk assessments to identify and mitigate potential threats.? ?
• Supply Chain Risk Management: Managing the security risks of third-party vendors and suppliers.
• Configuration Management: Maintaining secure configurations for systems and devices.
• Media Protection: Implementing procedures for the proper handling, storage, and disposal of media containing CUI and FCI.