The Cybersecurity Maturity Model Certification (CMMC) is a mandatory Department of Defense (DoD) initiative for contractors. Led by the Office of the Assistant Secretary of Defense for Acquisition, the CMMC shores up a gap created by the NIST 800-171 self-assessment

Contractors who stated they were following the NIST 800-171 best practices, some of which handled Controlled Unclassified Information (CUI), continued to be breached by adversaries. CMMC also applies to Federal Contract Information (FCI). Currently, organizations that handle FCI must be CMMC Level 1 compliant, even if they do not handle CUI. The CMMC forces DoD contractors to receive an independent third-party audit and obtain a certification of compliance. 

The Defense Federal Acquisition Regulation Supplement (DFARS) provides the DoD with implementation and supplementation guidelines, which are useful in part for a CMMC audit. 

The CMMC audit focuses on several key areas that are easy to map to NIST 800-171. Note that CMMC is not only from NIST 800-171. There are several other inputs/sources that were used including NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.

CMMC Requirements for CMMC Certification:

CMMC Level 1 – Basic Cyber Hygiene (17 controls): Basic cybersecurity controls that are appropriate for small businesses, but must confirm the accuracy of the 17 controls.

CMMC Level 2 – Intermediate Cyber Hygiene (72 Controls – contains level 1 controls): Contains universally accepted NIST SP and NIST CSF cybersecurity best practices.

CMMC Level 3 – Good Cyber Hygiene (130 Controls – contains level 2 controls): Includes coverage of all NIST 800-171 controls and additional CMMC components.

CMMC Level 4 – Proactive (156 Controls – contains level 3 controls): Includes advanced and sophisticated cybersecurity practices and cybersecurity controls.

CMMC Level 5 – Advanced/Progressive (171 Controls – contains level 4 controls): Includes highly advanced cybersecurity practices and cybersecurity standards.

Prime contractors and subcontractors that do business with the federal government and may come in contact with Controlled Unclassified Information (CUI) need to undergo a CMMC audit for compliance. 

The audit will be conducted by a certified assessor that will examine various controls based on the CMMC level the organization is attempting, most of which are found in NIST 800-171. The audit scope will be determined by the CMMC level the organization is required to comply with, which is specified in the RFI/RFP process.

Third-party assessors will conduct the CMMC assessment with various assessment tools and work with the organization on how to obtain compliance. Think of the CMMC audit as an evolution of the self-assessment goals laid out in NIST SP 800-171.