What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) program is a set of cybersecurity standards developed by the Department of Defense (DoD) to protect defense contractors from cyber attacks.
How will CMMC work?
DoD will require CMMC certification prior to any company/business/contractor winning a DoD contract. DoD delivered CMMC 1.0 standards (later updated to version 1.02) to a new non-profit governing organization, the Accreditation Body (AB). The AB will certify third-party inspectors who will then certify companies/businesses/contractors against the different CMMC standards/levels. Third-party inspectors will provide companies’/businesses’/contractors’ certification levels to the AB for tracking and provision to the DoD. The AB will not make CMMC certification levels publicly available.
For more information on the AB, please visit their website: CMMCAB.org/
How will CMMC impact NDIA’s members?
The CMMC program requires certification for all contractors doing business or who want to do business with DoD. This group of affected contractors includes companies indirectly doing business with DoD through subcontracts as well as companies that sell commercial products or services to DoD.
When was CMMC rolled out?
DoD published the initial set of CMMC standards on January 31, 2020. Companies were offered the ability to be certified while CMMC language began to appear in Requests for Proposals and Requests for Information in 2020. By 2026, all new DoD contracts will require an appropriate level of CMMC certification.
Who will decide the required CMMC level for each contract?
The DoD is currently developing a plan to educate acquisition professionals on how to set the appropriate CMMC levels for each contract.
How will CMMC compliance be different from compliance with NIST SP 800-171 through DFARS 252.204-7012?
CMMC merges several cybersecurity control standards, including NIST SP 800-171, into a single, unified standard. It goes beyond NIST SP 800-171 to include the assessment of organizational cybersecurity practices and processes in addition to the assessment of technical systems and practices. However, CMMC compliance will not imply NIST SP 800-171 compliance. NIST SP 800-171 includes 63 non-federal organization controls that are not covered by CMMC. At this time, contractors will have to continue to comply with DFARS 252.204-7012 requirements.
How will CMMC impact subcontractors?
At a minimum, all subcontractors will be required to carry CMMC Level 1 Certification to continue to participate in DoD contracts. Additionally, a prime contractor may require Level 3 Certification for a contract while subcontractors may require different levels of certification. Prime contractors will work with contracting officers to determine the CMMC levels required for subcontractors. The process to determine subcontractors’ CMMC certification requirements is still evolving.
What is NDIA’s role in CMMC?
NDIA worked closely with the DoD during the development of both CMMC standards and the model for governing the program. NDIA provided comments, recommendations, and critiques throughout that process. NDIA also hosted several opportunities for NDIA members to engage with DoD CMMC leads. Going forward, NDIA will continue to serve as a conduit between NDIA members, DoD, and the governing Accreditation Body, communicating changes to the regulations and processes to NDIA members while translating the impact of these regulations and suggested changes from member companies to DoD and the AB. NDIA will not have an official role within the AB and will not serve as a CMMC third-party inspector.
NDIA Cyber Resources- Summary of GAO report on the federal government’s cybersecurity risk management programs
- Summary NIST 171B Standards
NDIA Resources on CMMC
- Comment on NIST SP 800-172a
- NDIA's Comment on DFARS Case 2019-D041
- NDIA's Comment on NIST SP 800-172
- More information about NIST's draft of 800-172 is available here.