Learn about CMMC, its connection to NIST SP 800-171, and what requirements it places on suppliers in the USA.
CMMC - origins and development
The Federal Acquisition Regulation (FAR) is the primary rulebook for the procurement of goods and services by U.S. federal agencies. It sets the policies and requirements for solicitations and contracts.
The Defense Federal Acquisition Regulation Supplement (DFARS) complements the FAR specifically for the U.S. Department of Defense and includes additional provisions and security requirements for defense contracts.
CMMC was developed to improve security within the DoD supply chain. Since 2015, DFARS 252.204-7012 requires the protection of “Covered Defense Information” and the reporting of cyber incidents. The first version of CMMC was published in 2020, followed by CMMC 2.0 in November 2021. This version will take effect on December 16, 2024 after its official publication in the Federal Register.
CMMC 2.0 consists of three maturity levels, each requiring a different set of security practices and controls based largely on NIST standards. Compared with the first version, CMMC 2.0 reduces the number of maturity levels from five to three to simplify the certification process for small and medium-sized enterprises.
The CMMC levels are:
- Level 1: Basic protection of FCI through basic security requirements derived from FAR 52.204-21. Assessment at this level is performed by the organizations themselves (self-assessment).
- Level 2: Enhanced protection of CUI. Depending on the risk level, assessment is performed either by self-assessment or by third parties.
- Level 3: Higher protection requirements for CUI against threats from advanced persistent threats (APTs). Assessment at this level is performed by the DIB Cybersecurity Assessment Center.
CMMC and NIST standards
CMMC requirements are closely linked to the standards of the National Institute of Standards and Technology (NIST). Two key documents are particularly relevant:
- NIST SP 800-171: This publication contains security requirements for protecting CUI in nonfederal information systems and organizations. It forms the basis for the security requirements in CMMC Level 2.
- NIST SP 800-172: This publication extends the requirements of NIST SP 800-171 for scenarios requiring elevated security measures and is relevant for CMMC Level 3.
Key changes in the final rule for CMMC
The Code of Federal Regulations (CFR) is the official compendium of all permanent U.S. regulations. A “final rule” is a definitive, legally binding regulation that is codified in the CFR after a formal process and must be followed from its effective date.
On October 14, 2024, the DoD published the final rule for the CMMC program in the Federal Register. The rule will become effective on December 16, 2024. One of the most important changes in this final rule is the simplification of maturity levels to three, which particularly benefits small and medium-sized businesses. The CMMC levels are aligned with the criticality of the unclassified information to be protected.
Important aspects for companies
For companies that want to work with the DoD, CMMC compliance is essential. Without a valid CMMC certification, they cannot be awarded DoD contracts, which can result in significant revenue losses. Companies must ensure they meet the requirements for FCI and CUI and have a plan for continuous monitoring and improvement of their security measures.
Conclusion
CMMC is a central framework to ensure cybersecurity within the U.S. Department of Defense supply chain. Companies that already work with the DoD or plan to do so must meet CMMC requirements to strengthen their market position and pursue new business opportunities. The close alignment with NIST standards enables affected organizations to implement controls consistently. With the final rule, CMMC has been simplified and made more efficient so that organizations of all sizes can meet the requirements and remain active in the defense sector.
CMMC is not an isolated issue for many companies; it exists alongside European requirements such as CRA or NIS 2. If you want to understand how these requirements relate to each other and which next steps make sense, this can be clarified in a non-binding conversation.