Understanding the DoD’s CMMC alphabet soup
The Department of Defense (DoD) will begin writing CMMC requirements into contracts in May 2023. That’s only 7 months away and companies are hustling to get up to code in time. But many organizations are bumping up against a big roadblock: DoD’s alphabet soup.
CMMC is a world awash in acronyms. To achieve compliance, you’ll first need to understand the language of CMMC. This blog will define some of the most common CMMC terms and provide you a context for their use.
A C3PAO (CMMC Third Party Assessment Organization) is an IT service organization that has successfully completed training with CyberAB (Cyber Accreditation Board) and has been assessed by the Defense industrial Base Cybersecurity Center (DIBCAC) to ensure it meets CMMC Level 2 standards.
In coordination with DIBCAC auditors, C3PAOs currently can provide voluntary assessments of defense contractors’ compliance with NIST 800-171. Once CMMC is codified into law in 2023, C3PAOs will conduct CMMC Level 2 assessments.
The CAP (CMMC Assessment Process) stipulates the procedures and guidance for C3PAOs on how to conduct CMMC Level 2 assessments. The CAP ensures that CMMC is assessed uniformly throughout the Defense Industrial Base, regardless of which C3PAO is conducting the assessment.
The CAP is currently in draft mode, seeking comments. A final version should be issued by March 2023.
The Civil Cyber-Fraud Initiative (CCFI) aims to hold government contractors and grant recipients accountable under the False Claims Act for violations involving cybersecurity-related fraud. Specifically, the CCFI is looking to put pressure on individuals and entities that knowingly provide deficient cybersecurity products or services and misrepresent their cybersecurity practices.
In March 2022, the CCFI settled its first case. Comprehensive Health Services of Cape Canaveral, Florida, agreed to pay $930,000 to resolve allegations that it falsely represented compliance with the provision of medical services to soldiers at State Department and Air Force facilities in Iraq and Afghanistan.
CMMC is the Cybersecurity Maturity Model Certification framework created by the DoD in response to increasing cyberthreats. CMMC is designed to unify standards for the implementation of cybersecurity practices throughout the Defense industrial Base (DIB). One of DoD’s top goals for CMMC is to better protect Controlled Unclassified Information (CUI). Unlike previous programs, CMMC ensures rigorous, objective enforcement of these standards. In 2021, CMMC was updated to CMMC 2.0 from version 1.0 in order to streamline the program.
CMMC has 3 security levels. Each level details security controls and procedures the contractor must follow based on the sensitivity of the information the defense contractor is handling. CMMC Level 1 demonstrates Foundational security. Level 2 demonstrates Advanced Security. Level 3 demonstrates Expert security.
A CRM (Customer Responsibility Matrix) is a document that clearly defines how a company will meet its responsibilities for protecting CUI (Controlled Unclassified Information) and FCI (Federal Contract Information), which responsibilities are met by the vendor and what responsibilities are shared by both the organization and the vendor. A CRM also outlines how a company’s software and/or protocols satisfy the 110 NIST 800 171 controls.
A CRM helps companies maintain clear oversight of their responsibilities and demonstrate how the company meets them.
A CSP (Cloud Service Provider) is a third-party company offering a cloud-based platform, infrastructure, application, or storage services. CSPs require companies to pay only for the amount of cloud services they use, following a utility model like that used for electricity or gas consumption.
CSPs, like PreVeil, Dropbox and G Suite, can make sharing and storing data more accessible to organizations. CSPs save organizations the cost and effort of designing their own system from scratch. It is important, however, to ensure that your CSP’s cybersecurity supports DoD standards before using it to process sensitive information.
CUI (Controlled Unclassified Information) is information that requires safeguarding or dissemination controls pursuant to and consistent with federal law, regulations, and government-wide policies. FCI (Federal Contract Information) is information not intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government.
Contractors that handle FCI will need to achieve CMMC Level 1. Contractors that handle CUI will need to achieve at least CMMC Level 2.
The Cyber AB (Cyber Accreditation Board), formerly known as the CMMC AB (Cybersecurity Maturity Model Certification Accreditation Board) authorizes and accredits C3PAOs. The Cyber AB acts as the only non-governmental party of the DoD in the oversight and implementation of the CMMC standard.
The Cyber AB is the only channel for accreditation of C3PAOs, which in turn are the only channel for CMMC Level 2 certification.
The DIB (Defense Industrial Base) is the vast network of organizations that provides goods and services to the DoD. The DIB includes more than 220,000 organizations that contract either directly with the DoD as “primes” or as subcontractors in the DoD supply chain.
If you’re reading this, chances are you’re in the DIB.
The DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) leads the Department of Defense’s efforts to minimize contractor cybersecurity risk. DIBCAC assesses contractors’ compliance with DFARS 252.204-7012 and NIST 8000-171. DIBCAC also defines and carries out CMMC level 3 assessments. And, they also provide assessments of C3PAOs.
The DFARS (Defense Federal Acquisition Regulation Supplement) is a set of cybersecurity regulations issued by the DoD, beginning in 2015. The DFARS 252.204-7012 memorandum focuses on protecting CUI and required contractors to comply with NIST 800-171 by late 2017.
In response to slow and inconsistent adoption of DFARS 252.204-7012 and increasing cyberthreats, the DoD created the CMMC program. CMMC largely follows the security standards set by NIST 800-171 and DFARS 252.204-7012
FedRAMP (Federal Risk in Authorization Management Program) is a government-wide program that provides a standardized approach to security authorizations for Cloud Service Offerings. FedRAMP has three levels of standards – Low, Moderate, and High. The program is designed to facilitate the adoption of secure cloud services.
Cloud Service Providers (CSPs) that handle CUI and work directly with the government need to achieve FedRAMP Moderate ATO (Authority to Operate). CSPs that handle CUI but don’t work directly with the government need to achieve FedRAMP Moderate Equivalent.
FIPS (Federal Information Processing Standards) are a set of standards used to validate that the cryptographic modules produced by private sector companies meet National Institute of Standards and Technology (NIST) security standards. Cybersecurity companies that offer encryption of data at rest or in transit to organizations in the DIB that handle information such as CUI and ITAR must implement FIPS 140-2 standards. NIST provides a certification to companies that have successfully gone through the FIPS 140-2 validation process.
Contractors are responsible for ensuring that their service providers, including network and cloud service providers, are FIPS 140-2 certified.
GRC (Governance, Risk, and Compliance) is a platform that provides a set of processes and procedures that a business needs to follow in its everyday operations.
A GRC can support a unified company-wide approach to cybersecurity and risk, as well as build collaboration for faster incident response. GRC can also help a company achieve CMMC compliance by improving its resource use efficiency.
ITAR (International Traffic and Arms Regulations) is a regulatory regime used to control the export of defense and military related technologies to safeguard U.S. national security and further U.S. foreign policy objectives. Any U.S. company, research lab or university that engages in either manufacturing or exporting defense articles or furnishing defense services is required to register and comply with ITAR regulations.
ITAR is relevant to any organization that distributes defense and space related services and goods.
An MSP (Managed Service Provider) is a third-party company that provides services such as, for example, technical support or subscription services.
An MSP can remotely manage a customer’s information technology (IT) infrastructure and end-user systems, freeing the company to focus their resources elsewhere. Using an MSP can help companies avoid service interruptions or extended system downtimes.
NIST (National Institute of Standards and Technology) created the 800-171 standard to regulate how CUI is handled. CMMC Level 2 security controls will mirror the 110 controls of NIST 800-171. NIST 800-171 however, has allowed more self-reporting, while CMMC will require external verification of compliance for levels 2 and 3.
If you handle CUI, you need to be NIST 800-171 compliant. Becoming NIST 800-171 compliant will position your organization for CMMC Level 2 certification.
An OSC (organization seeking certification) is a company undergoing a CMMC compliance journey and seeks to be assessed. If you’re a defense contractor handling any sort of sensitive information, chances are you’re an OSC.
A POA&M (Plan of Action & Milestones) is a document that identifies security tasks that still need to be accomplished. It details what resources will be required, what milestones must be met, and what the completion dates for those milestones will be.
POA&Ms are a useful tool in a CMMC journey. They can buy companies a limited amount of extra time to meet certain NIST 800-171 controls. POA&Ms are not a loophole out of compliance as they are time-limited.
A RP (Registered Practitioner) / RPO (Registered Provider Organization) is a consultant that has successfully completed a Cyber -AB training program. The Cyber AB officially defines an RP as a “consultant, coach, or implementer that completes basic CMMC training and testing, passes a criminal background check, signs the Code of Professional Conduct, and is listed on the CMMC AB Marketplace.”
There are currently 1,300+ RPs and 400+ RPOs on the CMMC AB Marketplace, all offering different services, at different price points, and with different track records. Look for experience and proven past successes when selecting an RP/RPO.
An SSP (System Security Plan) is a document that details the policies and procedures a defense contractor has in place to meet the 110 NIST 800-171 controls required for CMMC compliance. The SSP is a foundational document that is a prerequisite for consideration for a DoD contract. It should be put in place as a first step in an organization’s CMMC journey.
An SSP serves as a roadmap for compliance, giving companies oversight of where they are and what they still need to accomplish. A well-executed SSP also makes it easier for organizations to demonstrate compliance to their eventual assessors.
SPRS (Supplier Performance Risk System) is the DoD’s single authorized application for gathering supplier performance information. Under a DFARS Interim Rule issued in 2019, organizations are required to file their NIST 800-171 self-assessment scores in SPRS by the time of their contract award.
The DoD is cracking down on overstated self- assessment scores. Going forward, the Department of Justice (DOJ)’s False Claims Act can and will be applied to organizations misrepresenting themselves through inflated scores. Penalties can include high fines, as well as exclusion from contracts.
CMMC is a big step towards standardizing cybersecurity practices in the DIB. While it may initially seem overwhelming, CMMC should not box resource-conscious SMBs out of defense contracts. In fact, CMMC 2.0, released by DoD in late 2021, is a streamlined version of the original CMMC framework and was designed specifically to reduce complexity and costs for defense contractors.
If you haven’t yet begun your CMMC journey now is the time to do so. With less than a year until the CMMC Interim Rule goes into effect there is no time to waste. Start by educating yourself on CMMC terminology and requirements, then conduct a NIST 800-171 self-assessment to determine where your organization stands and what you still need to do.
Need help? We’re here for you.
PreVeil is a state-of-the-art encrypted file sharing and email platform that offers uncompromised security for storing and sharing CUI. Organizations can easily add PreVeil to their existing IT environments (including Microsoft 365 Commercial), dramatically reducing the time and expense required to achieve compliance.
- Find out more about PreVeil and how it complies with DoD cybersecurity mandates here on this one-page, two-minute read.
- Schedule a free 15-minute consultation with one of our compliance experts to answer your questions about DFARS, NIST and CMMC requirements.
Read PreVeil’s briefs:
- The DFARS Interim Rule: What you need to know
- NIST SP 800-171 Self-Assessment: Improving Your Cybersecurity and Raising Your SPRS Score
- Case Study: Defense Contractor Achieves 110/110 Score in NIST SP 800-171 DoD Audit
- Meeting the System Security Plan Challenge
- PreVeil enables CMMC Level 2 compliance with M365 Commercial
- Complying with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC 2.0)