About Cybersecurity Maturity Model Certification.

The Department of Defense is drafting new CMMC Standards.   These standards will replace NIST 800-171 on DoD RFIs and RFPs beginning in the Fall of 2020.

Access the latest draft of the CMMC Model

Quick Facts

1

DoD Contractors will need to become CMMC Certified by at one of the five maturity model levels by a third-party assessor (3PAO) before bidding on a contract or subcontracting to a prime.

2

The Prime contractors must flow down the appropriate CMMC requirement to sub-contractors.

3

The CMMC levels ranging from basic hygiene to state­of-the-art Cyber Security. New requirements do not allow for self-attestation.

Some good news though… DoD has determined that CMMC certification costs can be treated as “allowable costs” by contractors.

Current Knowledge Regarding CMMC Levels and their Respective Requirements

Level 1:

Performed

Basic Cyber Hygiene

In order to pass an audit for this level, the DoD contractor will need to implement 17 controls of NIST 800-171 rev1.

Level 2:

Documented

Intermediate Cyber Hygiene

In order to pass an audit for this level, the DoD contractor will need to implement another 46 controls of NIST 800-171 rev1.

Level 3:

Managed

Good Cyber Hygiene

In order to pass an audit for this level, the DoD contractor will need to implement the final 47 controls of NIST 800-171 rev1.

Level 4:

Reviewed

Proactive

In order to pass an audit for this level, the DoD contractor will need to implement 26 controls of NIST 800-171 Rev B (Rev B is still in the public comments stage; 800-171 Rev 1 and its related documents are already approved).

Level 5:

Optimizing

Advanced / Progressive

In order to pass an audit for this level, the DoD contractor will need to implement the final 4 controls in NIST 800-171 Rev B.