In 2020, the Department of Defense (DoD) sent shockwaves through the Defense Industrial Base (DIB) when it released the first version of the Cybersecurity Maturity Model Certification (CMMC). Now companies are left asking “Who does CMMC apply to and does it apply to my business?”
In version CMMC 2.0, the assessment framework is intended to address the growing onslaught of threats that all members of the DIB face. Understandably, businesses that work with the DoD are eager for answers to questions like, “What is CMMC?” and “Does CMMC apply to my business?” In this article, we answer the latter question.
DO ALL DOD CONTRACTORS NEED CMMC CERTIFICATION?
Yes, all DoD contractors will need to certify their compliance with a CMMC level once CMMC 2.0 becomes a contract requirement, which will happen when the ongoing formal rulemaking process is completed (no later than in November 2023).
So if your business is among the 300,000 or so companies that are contracting for the DoD, then CMMC compliance should be your top priority otherwise you may be excluded from applying for future DoD contracts.
To figure out which of the three cybersecurity maturity certification levels described in the CMMC 2.0 applies to your business, you need to understand what Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) is:
- FCI: Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments. (Source)
- CUI: Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. (Source)
What’s important here is that both FCI and CUI include information created or collected by or for the Government, as well as information received from the Government, but only CUI requires safeguarding and may also be subject to dissemination controls.
That’s why contractors that handle FCI but don’t store or process CUI are required to implement only the 17 basic cybersecurity practices of CMMC 2.0 Level 1.
Contractors that do store or process CUI are required to comply with either Level 2 or Level 3, depending on the priority of their CUI and the risk they face from encountering Advanced Persistent Threats (APTs). Level 2 includes 110 practices aligned with NIST SP 800-171, while Level 3 includes over 110 practices based on NIST SP 800-172.
WHAT ABOUT SUBCONTRACTORS AND NON-US CONTRACTORS?
All subcontractors that are handling the same type of FCI and CUI are required by CMMC to certify their compliance with the same CMMC level as the prime contractor.
Subcontractors can certify their compliance with a lower CMMC level only when the prime contractor shares only select information with them, such as when a contractor handling both FCI and CUI hires a subcontractor that only needs to see FCI.
As far as non-US contractors goes, the DoD is sticking with existing cybersecurity requirements, which are defined in FAR 52.204-21 and DFARS 252.204-7012, so the CMMC doesn’t apply to them.
WHERE TO BEGIN
If you’re just embarking on your CMMC compliance journey, then you should start by identifying if you hold any federal information that might qualify as CUI. You can then use the gathered information to determine which of the three CMMC 2.0 levels you need to comply with.
If that sounds like too much work to you, or if you’re simply looking for expert assistance, then we at Help Desk Cavalry can ensure that your CMMC compliance journey is as comfortable and efficient as possible. Get in touch today to learn more about our services.