The Cybersecurity Maturity Model Certification (CMMC) program was enhanced in November 2021 by the U.S. Department of Defense (DoD) under “CMMC 2.0”. Contractors safeguarding sensitive information mature their cybersecurity defenses against evolving cyber threats. CMMC version 2.0 is structured based on three increasingly progressive requirement levels. Moreover, each level maps to the sensitivity level of the data the Defense Industrial Base contracting is processing under their contract. The sensitive data types are Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) data collected, created, transmitted, or received as a requirement of fulfilling the contract’s obligations – to develop or deliver a product or service. FCI information is not marked as public or for public release and is subject to minimum cybersecurity requirements, such as CMMC Level 1.
Typically, FCI originates from government addresses in emails, systems that store files from the government, hard drives, workstations, manufacturing devices, or backups.
Conversely, CUI data requires safeguarding through controlled dissemination even though it is not considered classified – it is information that legally cannot be made public. CUI must legally be protected even when the data is not sensitive enough to require a high-level security level clearance to access. CUI data leaked or accessed by our adversaries could negatively impact national security.
Examples of CUI include legal material, health documents, technical drawings and blueprints, intellectual property, and ITAR-controlled documents/products. Click here for a link to the CUI Registry housed in the National Archives. Look at each category, not just the Defense category.
Essentially, The DoD is migrating to the new CMMC framework to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC serves as a verification mechanism to ensure cybersecurity controls and processes are adequate to protect Controlled Unclassified Information (CUI). If FCI or CUI data is collected, transmitted, created, or stored by the DIB contractor, CMMC is a requirement. Praetorian Secure can ease the burden of meeting CMMC compliance requirements with services tailored to help your organizations meet CMMC requirements (CMMC Level 1, CMMC Level 2, or CMMC Level 3 under development).
About CMMC Version 2.0:
- The CMMC version 2.0 combines various cybersecurity standards and best practices. The standard maps these controls and processes across several maturity levels that range from basic cyber hygiene to advanced.
- CMMC 2.0 builds upon the initial CMMC framework to dynamically enhance Defense Industrial Base (DIB) cybersecurity against evolving threats.
- The DoD worked with John Hopkins University Applied Physics Laboratory (APL) and Carnegie Mellon University Software Engineering Institute (SEI) to review and combine various cybersecurity standards into one unified cybersecurity standard.
- The CMMC 2.0 changes build upon existing regulations (DFARS 252.204-7012). The updated standard requires verification of meeting CMMC requirements.
- The CMMC will be semi-automated and, more importantly, cost-effective for Small Businesses achieving a minimum CMMC level of 1.
- The CMMC model will be agile enough to adapt to emerging cyber threats in the DIB sector. A neutral 3rd party will maintain the standard for the Department.
- The CMMC includes a center for cybersecurity education and training.
- The intent is for certified independent 3rd party organizations (C3PAO) to conduct CMMC audits and inform on DIB risk.
- The DoD developed a CMMC tool for third-party certifiers to use during audits. The tool collects metrics and informs the DoD on risk mitigation for the entire supply chain.