CMMC

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) program is a set of cybersecurity standards developed by the Department of Defense (DoD) to protect defense contractors from cyber attacks.

How will CMMC work?

DoD will require CMMC certification prior to any company/business/contractor winning a DoD contract. DoD delivered CMMC 1.0 standards (later updated to version 1.02) to a new non-profit governing organization, the Accreditation Body (AB). The AB will certify third-party inspectors who will then certify companies/businesses/contractors against the different CMMC standards/levels. Third-party inspectors will provide companies’/businesses’/contractors’ certification levels to the AB for tracking and provision to the DoD. The AB will not make CMMC certification levels publicly available.

For more information on the AB, please visit their website: CMMCAB.org/

How will CMMC impact NDIA’s members?

The CMMC program requires certification for all contractors doing business or who want to do business with DoD. This group of affected contractors includes companies indirectly doing business with DoD through subcontracts as well as companies that sell commercial products or services to DoD.

When was CMMC rolled out?

DoD published the initial set of CMMC standards on January 31, 2020. Companies were offered the ability to be certified while CMMC language began to appear in Requests for Proposals and Requests for Information in 2020. By 2026, all new DoD contracts will require an appropriate level of CMMC certification.

Who will decide the required CMMC level for each contract?

The DoD is currently developing a plan to educate acquisition professionals on how to set the appropriate CMMC levels for each contract.

How will CMMC compliance be different from compliance with NIST SP 800-171 through DFARS 252.204-7012?

CMMC merges several cybersecurity control standards, including NIST SP 800-171, into a single, unified standard. It goes beyond NIST SP 800-171 to include the assessment of organizational cybersecurity practices and processes in addition to the assessment of technical systems and practices. However, CMMC compliance will not imply NIST SP 800-171 compliance. NIST SP 800-171 includes 63 non-federal organization controls that are not covered by CMMC. At this time, contractors will have to continue to comply with DFARS 252.204-7012 requirements.

How will CMMC impact subcontractors?

At a minimum, all subcontractors will be required to carry CMMC Level 1 Certification to continue to participate in DoD contracts. Additionally, a prime contractor may require Level 3 Certification for a contract while subcontractors may require different levels of certification. Prime contractors will work with contracting officers to determine the CMMC levels required for subcontractors. The process to determine subcontractors’ CMMC certification requirements is still evolving.

What is NDIA’s role in CMMC?

NDIA worked closely with the DoD during the development of both CMMC standards and the model for governing the program. NDIA provided comments, recommendations, and critiques throughout that process. NDIA also hosted several opportunities for NDIA members to engage with DoD CMMC leads. Going forward, NDIA will continue to serve as a conduit between NDIA members, DoD, and the governing Accreditation Body, communicating changes to the regulations and processes to NDIA members while translating the impact of these regulations and suggested changes from member companies to DoD and the AB. NDIA will not have an official role within the AB and will not serve as a CMMC third-party inspector.

What questions does NDIA have about CMMC?

Following a March 2020 meeting with Undersecretary of Defense for Acquisition and Sustainment Ellen Lord, NDIA was asked to compile a list of outstanding questions from its membership. The NDIA Cyber Legal Policy Committee (NDIA's group focusing on CMMC) compiled a list of questions that was delivered to the Department of Defense in April 2020. The letter that was sent is viewable here. A follow-on letter was delivered to DOD and the CMMCAB leadership with additional outstanding questions in October, 2020. That letter is available here. 

Under Secretary of Defense Ellen Lord statement on misleading cybersecurity certification information

NDIA Cyber Resources

• NDIA 2019 Cyber Report Webinar with CREC
• Summary of GAO report on the federal government’s cybersecurity risk management programs
• Summary NIST 171B Standards

NDIA Resources on CMMC

• Access CMMC 1.02
• CMMC 1.02 Appendices
• CMMC Model Briefing from DoDNDIA 2019 Cyber Report – Beyond Obfuscation: The Defense Industry’s Position within Federal Cybersecurity Policy
• NDIA Statement for CMMC Implementation What It Means for Small Businesses
  
  • Statement for the Record for House SB Committee Hearing  
• Comment on NIST SP 800-172a
• NDIA's Comment on DFARS Case 2019-D041
• NDIA's Comment on NIST SP 800-172
  • More information about NIST's draft of 800-172 is available here. 
• NDIA’s comment on CMMC version 0.7
  • We developed this set of comments through coordination by the NDIA Cyber Legal Policy Committee and incorporate comments related to CMMC v0.6 and v0.7. We delivered this comment to DoD on January 9, 2020.
• NDIA’s comment on CMMC version 0.4
  • This set of comments was developed through coordination by the NDIA Cyber Legal Policy Committee in reaction to the first publicly available version of CMMC. We delivered this comment to DoD on September 25, 2019.
• Council on Defense and Space Industry Associations (CODSIA) Comment on CMMC version 0.4
  • NDIA is one of seven members of CODSIA and worked with the group to submit a comment on the initial CMMC draft.
• The Role of Cyber Insurance for CMMC
  • NDIA members developed this paper to discuss the potential role for cybersecurity insurance in the continually evolving cyber landscape. This paper is a work in progress and suggestions for edits, expansions, and updates should be sent to Regulatory@NDIA.org.
• Exostar-NDIA CMMC webinar featuring Katie Arrington
  • NDIA and Exostar co-hosted this webinar to allow Katie Arrington, DoD’s principal on CMMC, to answer questions about the program. This webinar was recorded on October 24, 2019—prior to the public release of CMMC 1.0—and may contain information that is no longer consistent with the finalized version of CMMC.
• DOD - CMMCAB Memorandum of Understanding (replaced by Statement of Work below)
• DOD - CMMCAB Statement of Work
• NDIA members can join the conversation around CMMC at NDIA Connect

Tools for NDIA Corporate Members

• Exostar Certification Assistant - NDIA members receive a $500 discount when signing up for Certification Assistant Standard

  • Exostar Certification Assistant is a web-based tool to help organizations through the process of CMMC readiness and certification.  Perfect for smaller organizations without formal IT and information security teams, as well as larger organizations with more mature capabilities, Certification Assistant explains each CMMC practice and process in understandable, non-technical terms, providing a self-guided, step-by-step approach for assessing CMMC readiness, and for implementing the practices and processes necessary to prepare for CMMC certification success.  Its companion, Exostar PolicyPro simplifies creating policies required under CMMC.  Certification Assistant is available in three versions: Lite (Level 1), Standard (Levels 1-3), and Premium (Level 1-5).

• ComplyUp CMMC Assessment Platform - NDIA members receive a 10% discount when signing up for CMMC Full Access
  

  • Need to get through your CMMC assessment fast? Yes, you do.
    Looking for auto-generated audit documentation? Yes, you are.
    Desperate for a robust risk management platform? No, you're not.
    You just want to get through this compliance headache.
     
    We get it, and we've built compliance assessment software that gives you a fighting chance at a price that won't hurt.
    Yeah, we've got lots of fancy features that get the security-types excited, but that's not really what we're about. We just want to help you solve your compliance challenges so you can get back to business as usual.

• RocketCMMC Level 1 Compliance Tool – NDIA members receive a 15% discount. 

  • Need CMMC Level 1 certification? We'll get you there. Fast.

    We offer the fastest path to CMMC Level 1 readiness. Not sure? Try us out for free and only pay when you are ready to get your CMMC documentation.

    Some products have questionnaires that identify gaps, but don't help you develop your CMMC documentation.  Other products just give blank templates. 

    RocketCMMC® uses a patent-pending walkthrough process.  The walkthrough provides industry-standard security practices that quickly get you CMMC Level 1-ready.  If you have gaps, our security pros can tell you the most cost-effective way to fix those issues.  With RocketCMMC® you get the security practices and documentation you need for your assessment.

• Cyber Security Solutions - NDIA members receive a 35% discount.

• Our CMMC Compliance package starts with a non-invasive scan that assesses your entire environment within 24-48 hours, resulting in a true picture of your current risks. We utilize proven scanning technology to ensure accurate results, this reduces the time your team spends answering assessment questions. Your data never leaves your network, and the scan runs in the background with no affects to your daily operations. Our package includes:  

  • DoD Assessment Scorecard
  • System Security Plan (SSP)
  • Plan of Actions and Milestones (POA&M)
  • Supplier Performance Risk System (SPRS) Upload Assistance
  • CMMC Compliance Dashboard Access

     Call CSS today to start your CMMC journey!

• eFortresses - NDIA members receive a 10% discount.

  • eFortresses, Inc. (a Gartner Cool Vendor) is an AI powered Cybersecurity SaaS company that allows clients to self-assess, get validated, get trained, get certified, and reduce their breach probability at a fraction of the time and cost.
     
    eFortresses SaaS platform enables small-to-medium sized businesses (SMBs) across all industries to automate the workflow for education, self-assessment, validation of controls evidence, scoring, breach probability rating and benchmarking of controls.
     
    eFortresses' vision is to be the world's most trusted source for predicting and reducing cyber breach probability for both government and commercial sectors.
     
    eFortresses enables clients to reduce their breach probability and maintain the highest levels of ongoing cybersecurity maturity.