The US Department of Defense (DoD or the Department) created the Cybersecurity Maturity Model Certification (CMMC) program to add a comprehensive and scalable certification process to verify the implementation of industry practices that achieve a cybersecurity maturity level. CMMC is designed to provide assurance to departments and agencies that the defense industrial base (DIB) contractor can adequately protect sensitive unclassified information such as federal contract information and controlled unclassified information (CUI). The US government is concerned with ensuring that the data and information their contractors receive is stored and used safely. This government-furnished information is more commonly known as GFI.

Of great concern is the potential that government-furnished information will escape into the wild. The US government wants to protect itself and its citizens against the theft of intellectual property and the sensitive information of US industrial sectors from malicious cyber activity. The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can threaten US economic and national security by undercutting technical advantages and innovation and significantly increasing risk to national security.

To address these concerns, the DoD issued an interim rule [1] September 2020 intended to create a DoD assessment methodology and CMMC framework to assess a contractor's cybersecurity posture. By issuing the interim rule, the US government is seeking to understand what requirements and business practices contractors incorporate to protect their unclassified information systems and the data that is housed on those systems from a threat actor.

The US currently requires DoD contractors to include Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 [2] in subcontracts for which subcontract performance will involve covered defense information (DoD CUI). DFARS provides acquisition regulations that are specific to the DoD and outlines regulations to which DoD government acquisition officials, contractors, and subcontractors must adhere when doing business with the DoD. However, this DFARS clause does not provide the department or agency contracting this work sufficient insights with respect to the cybersecurity posture of DIB companies throughout the multitier supply chain for any given program or technology development effort.

Given the size and scale of the DIB sector, the DoD cannot scale its organic cybersecurity assessment capability to conduct on-site assessments of approximately 220,000 DoD contractors every three years. As a result, the Department's organic assessment capability is best suited for conducting targeted assessments for a subset of DoD contractors that support prioritized programs, technology development efforts, or both. CMMC addresses the challenges of contractor assessment capabilities by partnering with an independent organization that will accredit and oversee third-party assessment and conduct on-site assessments of DoD contractors throughout their multitier supply chain contract. The cost of these CMMC assessments will be driven by multiple factors, including market forces, the size and complexity of the network or enclaves under assessment, and the CMMC level. Later I will talk about the plans to enforce CMMC.

What Material Falls Within CMMC?

In a simplified definition, only unclassified data and information that falls below the classified category falls within the purview of CMMC. Classified data and information have distinct processes and guidelines that contractors must adhere to, to possess these types of materials. Classified data not covered by CMMC is secret (S), top secret (TS), or top secret sensitive compartmented information (TS-SCI).

Within the unclassified data and information category of material are distinct classifications of data that require CMMC protection:

• CUI Assets process, store, or transmit CUI.
• Security Protection Assets provide functions or capabilities to include people, technology, and facilities.
• Contractor Risk Managed Assets are capable of, but not intended to, process, store, or transmit CUI because of the security policy, procedures, and practices in place.
• Specialized Assets are government property, industrial Internet of Things, supervisory control and data acquisition (SCADA) systems, and restricted information systems or test equipment that may handle CUI.

CMMC Framework

The framework has three main key features:

Tiered Model. CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forth the process for information flow down to subcontractors.

Assessment Requirement. CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.

Implementation Through Contracts. Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

Building on the National Institute of Standards and Technology special publication (NIST SP) 800-171 (DoD Assessment Methodology) [3], the CMMC framework adds a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information (i.e., CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multitier supply chain. Implementation of the CMMC framework is intended to solve the following problems:

• Verification of a contractor's cybersecurity posture. DIB companies self-attest that they will implement the requirements in NIST SP 800-171 on submission of their contract offer.
• DoD contractors that inconsistently implement mandated system security requirements for safeguarding CUI.
• Verification of a DIB contractor's cybersecurity posture. The company must achieve the CMMC level certification required as a condition of contract award.

CMMC in Depth

CMMC is currently on its second iteration, CMMC 2.0. The prior iteration of CMMC was CMMC 1.0, which built a framework of four elements: security domains, capabilities, practices, and processes. When combined, they built best practices for the protection of an organization and associated federal contract information and CUI. CMMC 1.0 had five cybersecurity maturity levels (1-5) that composed the CMMC framework, with level 1 being the least mature and level 5 the most mature.

The CMMC 1.0 framework consisted of 17 cybersecurity domains. A domain is a distinct group of security practices that have similar attributes and are key to the protection of federal contract information and CUI, either individually or in combination. Each domain comprises several capabilities an organization is expected to achieve to ensure that cybersecurity and the protection of federal contract information and CUI is sustainable. Capabilities are a combination of practices, processes, skills, knowledge, tools, and behaviors, which when working together enable an organization to protect federal contract information and CUI. In total (at level 5) the CMMC framework identifies 171 practices associated with the 17 security domains and mapped across the five maturity levels.

Practices applied at maturity levels 1 and 2 have been referenced from Federal Acquisition Regulation (FAR) 52.204-21 [4] for the basic safeguarding of covered contractor information systems applied to the protection of federal contract information. Practices applied at levels 3, 4, and 5 are referenced from DFARS 252.204-7012 [2] for the safeguarding of covered defense information and cyber-incident reporting. Most of the above framework and guidelines carried over to CMMC 2.0 with the one big exception that CMMC 2.0 only has three levels, as opposed to the five levels of CMMC 1.0.