Our Virtual CMMC Compliance Team can provide the level of support that you need with a data driven approach, powered by our internally developed CMMC Compliance Tool, minimizing the risk of something slipping through the cracks.
| History | Key Facts |
|---|---|
| December 2017 | DFARS 252.204-7012 became effective requiring DoD contractors to comply with NIST SP 800-171. Compliance with 800-171 was achieved via contractor self-certification. Self-certification was determined to be insufficient. |
| January 2020 | DoD published CMMC version 1.0. |
| September 2020 | DoD published interim rule, which implemented timeline for rollout of CMMC version 1.0 to DoD contractors, Contractors with Controlled Unclassified Information (CUI) were also required to begin self-reporting compliance with NIST SP 800-171 in the DoD’s Supplier Performance Risk System (SPRS) |
| November 2021 | DoD announced CMMC version 2.0, suspending the rollout of CMMC requirement until final rules are published. Estimated timeline for final rulemaking will take 9 to 24 months. |
| December 2023 | DoD published CMMC version 2.0 |
| December 2024 | Title 32 Rule goes into effect. CMMC Assessment can begin to occur but will not appear in DoD solicitations until the Title 48 Rule goes into effect. |
| Key Facts |
|---|
| CMMC 2.0 has three maturity levels (ML-1, ML-2, ML-3). The CMMC maturity level a contractor must comply will be specified in the DoD solicitation or RFI. |
| Under CMMC 2.0, the large majority of DoD contractors will be able to continue with self-certification. For these contractors, a senior company official will have to provide an annual affirmation that the company is complying with its maturity level’s CMMC cybersecurity requirements. The DoD contractors that will have access to information that is deemed to be critical to national security will be required to undergo third-party assessments. |
| CMMC 2.0 now allows for Plan of Action and Milestones (POAMs) in certain cases. |
| The DoD is considering providing incentives for contractors who voluntarily obtain a CMMC certification in the interim period. |
The DoD is phasing in the implementation of the CMMC program:
| Phase | Timing | Solicitation/Contract Requirements |
|---|---|---|
| Phase 1 | Begins at Title 48 effective date | Level 1 or 2 Self-Assessment |
| Phase 2 | Begins 12 months after Phase 1 start | Level 2 third-party certification |
| Phase 3 | begins 24 months after the phase 1 start | Level 3 third-party certification |
| Phase 4 | Begins 36 hours after the Phase 1 start | All solicitations/contracts have CMMC Level requirements |
CMMC Maturity Levels
The CMMC framework has three maturity levels (ML). ML-1 is the least rigorous, ML-3 the most. The maturity level and assessment requirements are based on the sensitivity of the information shared with the contractor. Contractors who only have access to Federal Contract Information (FCI) will be ML-1. Contractors who have access to Controlled Unclassified Information (CUI) will be ML-2 or ML-3. Contracts that have CUI that the DoD deems not to be critical to national security will be ML-2 and might only require the contractor to annually self-certify compliance with CMMC 2.0.
Read more about FCI and CUI here
| Maturity Level 1 | Foundational |
|---|
| 17 practices |
| Requires contractor to annually perform self-assessment |
| Maturity Level 2 | Advanced |
|---|
| 110+ practices aligned with NIST SP 800-171 |
| For contracts with critical national security information, requires contractor obtain triennial third-party assessment For contracts with CUI that is not deemed critical to national security, contractor to perform annual self-assessments |
| Maturity Level 3 | Expert |
|---|
| 110+ practices based on NIST SP 800-172 |
| Requires contractor to obtain triennial government-led assessments |
DoD contractors need to ensure they are prepared to meet the cybersecurity requirements for their CMMC Maturity Level.
DoD contractors first need to determine the CMMC Maturity Level with which they need to comply. Contractors should review their current contracts and speak with their contracting officers, contracting officer’s technical representative (COTR), or other DoD representative to determine the sensitivity of the information (CUI vs FCI) the government considers the contractor to have.
Once the Maturity Level is determined, contractors should perform an assessment to determine if there are any CMMC requirements that it is not meeting for their specific Maturity Level. If gaps are identified, the contractor needs to implement corrective actions to resolve the gaps.
Additionally, if not already performed, DoD contractors with CUI need to perform a self-assessment against NIST SP 800-171 and self-report in the DoD Supplier Performance Risk System (SPRS).
Keiter is a Registered Practitioner Organization (RPO) in the CMMC Marketplace.
Many DoD contractors will need assistance in getting ready for their self- and/or third-party assessments, to include identifying controls, identifying gaps, and developing plan of action and milestones (POA&Ms). Keiter’s Risk Advisory Services team has been providing cybersecurity services and consulting on the major IT frameworks such as NIST SP 800-171, NIST SP 800-53, HIPAA, and others for close to 20 years. As CMMC RPO, our team can help DoD prime and subcontractors with the following:
Below is our full collection of articles about the CMMC Level 1 Practices. In these articles we dive into the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC resource.
AC.L1
IA.L1
MP.L1
PE.L1
SC.L1
SI.L1
Scoping is the first step. Get started with a with a scoping exercise.
The larger or more complex your enclave, the greater costs you will incur.
Accordingly, we approach scoping with an eye for compliance as well as opportunities to shrink your enclave.
en·clave – än-klāv : A set of system resources that operate in the same security
domain and that share the protection of a single, common, continuous security perimeter. – NIST
Prior to scoping, organizations should already have a target CMMC Maturity Level. Most organizations will start at either:
Determining your target maturity level is a management decision based upon:
We can assist in this process upon request.
Meet with stakeholders, review documentation (network diagrams, data flow diagrams, architecture documents, and more) to identify the assets in your assessment scope.
The CMMC Level 1 and Level 2 Scoping Guides together identify six Asset Categories: FCI Assets, CUI Assets, Security Protection Assets (SPA), Contractor Risk Managed (CRM) Assets, Specialized Assets, and Out-of-Scope Assets.
However, there are other ‘things’ that fall within the assessment scope. Namely people and facilities. For example, CMMC Awareness and Training (AT) practices require security awareness training delivered to people, and Physical Protection (PE) requires security in facilities.
Additionally, some of your assets may involve third parties with their own compliance requirements, such as cloud service providers (CSP) or other external service providers (ESP), like managed IT services.
In this step, we work with your team to identify your in-scope assets and classify them into an appropriate asset type. This is the foundation of the remainder of your scoping exercise.
Work with stakeholders to identify opportunities to minimize your scope.
Document asset applicability for each CMMC Practice.
Based on what we’ve learned by working with your team, we will document asset applicability conclusions for each in-scope asset for each practice. For any practice that does not apply to a particular practice, we will document the rationale. For example, requirements to escort visitors does not apply to a CUI processing engineering system.
Powered by our CMMC Compliance Tool
All scoping documentation is entered into our internally developed CMMC Compliance Tool – which is yours forever as a benefit of retaining us for any CMMC related service.
Even the simplest organizations will have THOUSANDS of CMMC compliance data points. To attempt to comply in any other than a data driven manner invites waste and error.
The tool is easily maintained in your own environment. It is your security data, and we believe you should have the right to keep it in your environment, forever.
From scoping to the creation of your SSP, the CMMC Compliance Tool tracks thousands of requirements, scoping decisions, and internal assignment of responsibility, evidence location, related status, and more.
Below is our full collection of articles about the CMMC Practices. In these articles we dive in to the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC resource.
AC.L1
IA.L1
MP.L1
PE.L1
SC.L1
SI.L1
Risk Advisory Services Partner
Risk Advisory Services Senior Manager
