Many federal contractors are nervous about the U.S. Department of Defense’s new Cybersecurity Maturity Model Certification (CMMC).

According to the U.S. Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)):

DoD is migrating to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB) sector. The CMMC is intended to serve as a verification mechanism to ensure that DIB companies implement appropriate cybersecurity practices and processes to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their unclassified networks.

And yes, that means that if contractors are not certified at the proper level, they will be unable to bid on federal contracts.

It’s no surprise that contractors are feeling concerned because the CMMC framework, at first glance, is  daunting in its complexity. It is composed of five advancing levels of cybersecurity preparedness, 17 domains across which cybersecurity should be enacted, 43 capabilities, and some 171 practices.

But it might give federal contractors some comfort to understand how the DoD arrived at the CMMC framework. Specifically, if you previously did work to comply with NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations), you are well on the road to being compliant with the CMMC because it is largely based on that NIST framework. In fact, all 110 requirements from NIST 800-171 are captured within Levels 1-3 of the CMMC, accounting for 85% of the Level 3 practices.[1]

Beyond NIST 800-171

In its FAQ, the OUSD (A&S) tells us that CMMC maps to NIST SP 800-171 and that “the CMMC Model also incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM).”[1]

Peeling the onion back another layer, NIST 800-171 is largely derived from the moderate security control baseline in NIST 800-53, so if that older framework is also on your radar, you’ll be pleased to learn that, of the 20 CMMC Level 3 practices that don’t overlap with NIST 800-171, 16 of them map to NIST 800-53.

Getting started

While alignment with NIST 800-171 and NIST 800-53 isn’t all that is necessary for CMMC Level 3 Certification, it will take you close and is certainly the place to start. Our experience is that most federal government contractors are not only acquainted but also compliant with many of the NIST requirements. So that’s the good news.

Still, getting certified to CMMC Level 3 will require reviewing your security practices and ensuring they meet these combined standards. This is a step in the right direction especially in light of recent nation-state attacks, such as the SolarWinds hack, on U.S. federal agencies and contractors.

For more on CMMC and how Entrust solutions can help achieve compliance visit: https://www.entrust.com/solutions/compliance/cmmc

And for more details on the CMMC domains and practices and levels visit: /blog/2021/04/domains-and-practices-and-levels-oh-my-making-sense-of-cmmc/

[1] https://www.acq.osd.mil/cmmc/faq.html