Table of Contents
What is Cybersecurity Maturity Model Certification (CMMC) 2.0?
The Cybersecurity Maturity Model Certification (CMMC) program was enhanced in November 2021 by the U.S. Department of Defense (DoD) under “CMMC 2.0”.
Cybersecurity Maturity Model Certification (CMMC) requires contractors mature their cybersecurity defenses against evolving cyber threats. Most importantly, defense industrial base contractors safeguarding sensitive national security information FCI, CUI, and/or ITAR.
In addition, CMMC version 2.0 is structured based on three increasingly progressive requirement levels. Moreover, each level maps to the sensitivity level of the data the Defense Industrial Base or DOD Supplier is processing under their contract. The sensitive data types are Federal Contract Information (FCI), Controlled Unclassified Information (CUI), and International Traffic in Arms Regulations (ITAR) Data.
What are the CMMC 2.0 streamlined requirements?
- Simplification compliance by allowing self-assessment for some requirements.
- Applies priorities for protecting DoD information.
- Reinforces cooperation between the DoD and industry in addressing evolving cyber threats.
Cybersecurity Maturity Model Certification requirements (JAN 2023) as prescribed in DFARS 204.7503(a) and (b)
(a) Scope. The Cybersecurity Maturity Model Certification (CMMC) CMMC is a framework that measures a contractor’s cybersecurity maturity to include the implementation of cybersecurity practices and institutionalization of processes (see https://www.acq.osd.mil/cmmc/index.html).
(b) Requirements. The Contractor shall have a current (i.e., not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract.
(c) Subcontracts. The Contractor shall:
(1) Insert the substance of this clause, including this paragraph (c), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial products or commercial services, excluding commercially available off-the-shelf items; and
(2) Prior to awarding to a subcontractor, ensure that the subcontractor has a current (i.e., not older than 3 years) CMMC certificate at the CMMC level that is appropriate for the information that is being flowed down to the subcontractor.
CMMC Levels Mapped to DFARS and FARS Requirements for Data Protection
CMMC Level 1-3 | Current Contract Requirements | Data Protection Requirements |
---|---|---|
All Suppliers | DFARS 204.7503(a) and (b) | Sensitive Contract Data, FCI, CUI |
Level 1 | FAR 52.204-21 | FCI |
Level 2 | DFARS 252.204-7012 | CUI |
Level 3 | DFARS 252.204-7012,High Assessment | CUI, Critical CUI |