Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework, which enhances and clarifies cybersecurity requirements for defense contractors, is gradually being implemented. While there isn’t a specific, universally applicable “effective date,” the Department of Defense (DoD) has been incorporating CMMC requirements into contracts since late 2021. The full rollout is expected to continue through 2025.

Organizations should begin their compliance efforts as soon as possible to ensure they meet necessary requirements in time for contract opportunities. Early preparation will help avoid last-minute rushes and potential non-compliance issues, ensuring continued eligibility for DoD contracts. Start by assessing your current cybersecurity practices, identifying gaps, and implementing the required controls to meet the appropriate CMMC level.

Controlled Unclassified Information (CUI) is sensitive information that requires safeguarding or dissemination controls according to federal regulations, but it is not classified under national security guidelines. CUI includes various types of data, such as personally identifiable information (PII), proprietary business information, and other data critical to government operations. The protection of CUI is essential to national security and maintaining the integrity of government functions. The Cybersecurity Maturity Model Certification (CMMC) framework helps ensure that organizations handling CUI have adequate cybersecurity practices to protect this information from unauthorized access and breaches.

CMMC, DFARS, and ITAR are all frameworks that govern different aspects of security and compliance for organizations working with the U.S. government, but they have distinct focuses:

1. CMMC (Cybersecurity Maturity Model Certification):
   • Focuses on cybersecurity practices.
   • Applies to defense contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
   • Ensures organizations meet specific cybersecurity maturity levels to protect sensitive data.
   • Requires compliance with NIST SP 800-171 standards for protecting CUI.
2. DFARS (Defense Federal Acquisition Regulation Supplement):
   • A set of regulations supplementing the Federal Acquisition Regulation (FAR) specific to defense contracts.
   • Includes clauses like DFARS 252.204-7012, which mandates safeguarding CUI and reporting cyber incidents.
   • Also requires compliance with NIST SP 800-171 standards for protecting CUI.
3. ITAR (International Traffic in Arms Regulations):
   • Governs the export and import of defense-related articles and services.
   • Ensures that defense-related technology does not fall into the hands of foreign entities without authorization.
   • Applies to any organization involved in manufacturing, exporting, or brokering defense articles and services.
   • Requires that protected data does not leave the continental US.
   • Requires that only US persons (in most instances) are able to access protected data.

Organizations may need to comply with one or more of these frameworks depending on the nature of their contracts and the type of information they handle. Understanding the differences helps ensure comprehensive compliance and security measures.

While a government cloud environment is not specifically required for CMMC compliance, Abacode recommends utilizing Azure Government (GCC High) for CMMC Level 2 organizations, specifically if the organization is required to comply with ITAR. . However, Azure (commercial version) can also be acceptable for CMMC Level 2 if you don’t have specific operational requirements related to ITAR.

In any regard, DoD contractors must ensure that their chosen cloud service provider meets the necessary security requirements for handling CUI as outlined in CMMC. Many providers offer environments designed to comply with federal standards, which can simplify achieving and maintaining CMMC certification. Ensure that any cloud services used are configured and managed in accordance with CMMC guidelines to protect sensitive data adequately.

Achieving CMMC compliance on your own can be challenging due to the complexity and detailed requirements of the framework. Without expert guidance, you might miss critical security controls, leading to non-compliance and potential loss of contracts. Professional assistance ensures a thorough assessment of your current cybersecurity posture, identifies gaps, and implements necessary measures efficiently. Experts can also help navigate documentation, audits, and continuous monitoring, saving time and resources while ensuring robust protection of CUI. Partnering with experienced professionals increases your chances of achieving and maintaining CMMC compliance successfully.

When evaluating the Return on Investment (ROI) for your cybersecurity and compliance spend, it makes financial sense to leverage an expert team that has a proven track record of success versus hiring full-time staff and buying expensive solutions that may not lead to success.

DFARS Section 252.204-7012 (aka DFARS 7012) mandates that DoD contractors using external cloud service providers to store, process, or transmit CUI must ensure these providers meet FedRAMP Moderate baseline requirements. FedRAMP (Federal Risk and Authorization Management Program) ensures that cloud services used by the federal government have adequate security measures. Thus, compliance with FedRAMP helps contractors meet the stringent cybersecurity requirements outlined in DFARS 7012, ensuring the protection of sensitive defense information. This regulation emphasizes the need for using verified and secure cloud services to safeguard national security interests.

While NIST SP 800-171 provides specific security controls for CUI protection, CMMC is a certification process evaluating the maturity level of an organization in meeting those requirements. CMMC also includes practices related to incident response planning, execution, and reporting.

The differences among Microsoft Commercial, Government Community Cloud (GCC), and GCC High are as follows:

1. Commercial – Meets FedRAMP Moderate criteria, but it’s based on the global Microsoft network — i.e., it’s unspecified where data are hosted or who has access (e.g., foreign nationals).
2. GCC – Essentially equivalent to Microsoft Commercial cloud except with specific identity measures and requirements for US hosting. Still not adequate for ITAR because foreign nationals could have infrastructure access.
3. GCC High – wholly separate cloud copy with US based personnel and hosting. Required for organizations with ITAR requirements. However, lacks some features of commercial cloud.

To get CMMC certified, you need the following three things:

1. SPRS Score: Submit your Supplier Performance Risk System (SPRS) score, which reflects your compliance with NIST 800-171 requirements, to the Department of Defense.
2. SSP (System Security Plan): Develop and maintain a comprehensive System Security Plan (SSP) that outlines your current cybersecurity practices and how you address CMMC requirements.
3. Assessment Score: Undergo an assessment by a certified third-party assessor to evaluate your compliance with the CMMC requirements and achieve the necessary assessment score for certification.

These components ensure your organization’s readiness and compliance with CMMC standards.