CCMC or Cybersecurity Capability Maturity Model certification is the United States Government’s solution to fix low rates of compliance which are associated with NIST SP800-171. The CCMC certification is not optional for companies, entities, or individual organizations who wish to do business with the US Government. It is designed to permit and allow businesses whom have complied and been certified by a credentialed or registered CMMC organization to do business. CMMC is still evolving, and requires indefinite upkeep and professional eyes on. It is intended to protect our US Government, and those who do business with it.
What is the difference between CMMC and NIST?
While NIST SP800171 is primarily focused on protecting CUI wherever it is stored, transmitted and processed, your organization still needs to comply with both the CUI and NFO controls. CMMC only focuses on CUI controls and does not have NFO controls in scope for the CMMC audits. Contact a professional at OSA to understand this further. It is common or good practice to start your evaluation with an initial CUI score. This score is commonly utilized.
Is CMMC based on NIST?
CMMC is based on both DFARS and NIST 800-171 and includes all 110 controls and more. CMMC Version 1.0 was originally made up of 5 maturity levels. Each level builds upon the preceding level.
Since DFARS is still a listed requirement in most government contracts, if you are bidding on a contract or have been awarded the work, you’ll need to be compliant with all 110 NIST 800171 controls in order to fulfill the DFARS clause. DFARS does not address the CMMC at all but a new clause is currently being drafted for this purpose.
| CMMC Version 1.0 | ||
|---|---|---|
| Level 1 | 17 practices | BASIC |
| Level 2 | 72 practices, 2 processes | INTERMEDIATE/TRANSITION |
| Level 3 | 130 practices, 3 processes | GOOD |
| Level 4 | 156 practices, 4 processes | PROACTIVE/TRANSITION |
| Level 5 | 171 practices, 5 processes | ADVANCED |
In March 2021, the DoD performed an internal review of the CMMC requirements and announced changes in November 2021. The updated CMMC Version 2.0 has condensed 5 levels into 3 levels.
The DoD introduced the Plan of Actions and Milestones (POAM) where organizations who have not yet fully implemented 800-171 can submit a solid plan for achieving full compliance, with specific dates and a timeline.
This POAM is submitted before work begins and enables organizations to begin working for federal agencies whilst they simultaneously work towards full implementation of 800-171.
| CMMC Version 1.0 | CMMC Version 2.0 | Model | Assessment Requirement |
|---|---|---|---|
| Level 1 – (Based on DFARS) | LEVEL 1 Foundational | 17 practices -from NIST 800-171 | No third party assessment. Do an annual self-assessment and upload score to SPRS |
| Level 2 | |||
| Level 3 – (NIST 800-171 ) | LEVEL 2Advanced | 110 practices – aligned with NIST 800-171 | Critical CUI handlers will be assessed by a C3PAO three times a year. Handlers of non-critical CUI will only need a self-assessment, like level 1. |
| Level 4 | |||
| Level 5 – (NIST SP 800-172) | LEVEL 3 Expert* | Over 110+ practices based on NIST 800-172 | Government-led assessment three times a year. |
CMMC certifications can only be issued by a Certified 3rd Party Assessment Organization (C3PAO) but no company has yet been “certified to certify”.
Criticality has not yet been defined which is important to keep in mind for those attempting level 2 maturity.
Guidance has been published to allow companies to prepare for its upcoming implementation, predicted to be within 18-24 months.
*Expert Level 3 has not yet been developed and will be based on NIST SP 800-172.