Learn everything about CMMC, its connection to NIST SP 800-171, and what requirements it imposes on suppliers in the United States.
CMMC - origins and development
The Federal Acquisition Regulation (FAR) is the primary rulebook for the procurement of goods and services by US federal agencies. It sets the policies and requirements for solicitations and contracts.
The Defense Federal Acquisition Regulation Supplement (DFARS) supplements the FAR specifically for the US Department of Defense and includes additional provisions and security requirements for defense contracts.
CMMC was developed to improve security within the DoD supply chain. Since 2015, DFARS 252.204-7012 has required the protection of “Covered Defense Information” and the reporting of cyber incidents. The first version of CMMC was released in 2020, followed by CMMC 2.0 in November 2021. This version will take effect on 16. December 2024 after its official publication in the Federal Register.
CMMC 2.0 consists of three maturity levels, with each level requiring a different set of security practices and controls largely based on NIST standards. Compared with the first version, CMMC 2.0 reduces the number of maturity levels from five to three to simplify the certification process for small and medium-sized enterprises.
The CMMC levels are:
- Level 1: Basic protection of FCI through fundamental security requirements derived from FAR 52.204-21. Assessment at this level is performed by the organizations themselves (self-assessment).
- Level 2: Enhanced protection of CUI. Depending on the level of risk, assessment is performed either by self-assessment or by third parties.
- Level 3: Higher protection requirements for CUI against threats from advanced persistent threats (APTs). Assessment at this level is conducted by the DIB Cybersecurity Assessment Center.
CMMC and NIST standards
CMMC requirements are closely linked to standards from the National Institute of Standards and Technology (NIST). Two key documents are particularly relevant:
- NIST SP 800-171: This guideline contains security requirements for protecting CUI in non-federal information systems and organizations. It forms the basis for the security requirements in CMMC Level 2.
- NIST SP 800-172: This guideline augments the requirements of NIST SP 800-171 for scenarios with elevated security needs and is relevant for CMMC Level 3.
Key changes in the final rule for CMMC
The Code of Federal Regulations (CFR) is the official compilation of all permanent US regulations. A “Final Rule” is a definitive, legally binding regulation that, after a formal process, is incorporated into the CFR and must be followed from that point onward.
On 14. October 2024 the DoD published the Final Rule for the CMMC program. The rule will become effective on 16. December 2024. One of the most important changes in this final rule is the simplification of maturity levels to three, which particularly benefits small and medium-sized businesses. The CMMC levels are aligned with the criticality of the unclassified information that needs protection.
Important aspects for companies
For companies that want to work with the DoD, being CMMC-compliant is essential. Without a valid CMMC certification, they cannot bid for DoD contracts, which can result in significant revenue loss. Companies must ensure they meet the requirements for FCI and CUI and have a plan for continuous monitoring and improvement of their security measures.
Conclusion
CMMC is a central framework to ensure cybersecurity across the US Department of Defense supply chain. Companies that already work with the DoD or plan to do so must meet CMMC requirements to strengthen their market position and access new business opportunities. The close alignment with NIST standards enables affected organizations to implement requirements coherently. With the Final Rule, CMMC is being further simplified and made more efficient so that companies of all sizes can meet the requirements and remain active in the defense sector.