Page 32 - Cyber Defense eMagazine February 2024
P. 32
History of CMMC
Defense contractors are required to implement security controls to safeguard sensitive unclassified
information. For example, in cases where the government issues solicitations or contracts involving the
processing, storage, or transmission of FCI, contractors are required to implement the fundamental
safeguarding requirements outlined in the Federal Acquisition Regulation (FAR) clause 52.204-21.
Similarly, for defense contracts where CUI will be processed, stored, or transmitted during the
performance of the contract, the contractor must implement the security requirements in NIST SP 800-
171 per Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. Enforcement of
these requirements is primarily achieved through self-attestation. A 2019 DoD Inspector General report
found that implementation of these requirements is inconsistent, and self-attestation does not provide
sufficient assurance that defense contractors are implementing adequate measures to protect sensitive
unclassified information. Additionally, the report recommended the DoD take steps to more effectively
validate contractor compliance with CUI protection requirements. It also recommended improvement in
DoD contracting processes and enhancements to procedures related to document marketing.
While unclassified, information like CUI holds significant importance to the economic and national security
of the United States. In recognition of this, the FY20 National Defense Authorization Act (NDAA) charged
the DoD with creating a “consistent, comprehensive framework to enhance cybersecurity for the United
State defense industrial base.” This requirement led the DoD to create an initial iteration of CMMC,
incorporating five scaled levels of security practices. These were based on requirements such as FAR
52.204-21 clause and NIST SP 800-171, in addition to process maturity requirements. A second iteration
(CMMC 2.0) reduced the security requirements in the model to directly align with NIST SP 800-171 and
FAR 52.204-21, removed the process maturity requirements, and condensed the number of levels to
three.
In 2020, the DoD released an interim final rule that established a new DFARS clause around CMMC and
the assessment of NIST SP 800-171 security requirements. Currently, defense contractors handling CUI
must perform a self-assessment of the NIST SP 800-171 security requirements and submit the results of
the self-assessment to the government.
2023 Proposed Rule
In 2023, the DoD released another rule that builds upon the 2020 rule. This rule is a “proposed rule,”
meaning that the DoD must adjudicate and respond to public comments prior to the rule being final. While
this rule clarifies many public questions regarding CMMC and introduces some new requirements on
defense contractors, the security requirements for Levels 1 and 2 remain the same. For organizations
that must attain CMMC Level 1 and for some that must attain CMMC Level 2, there is a requirement to
perform a self-assessment and provide an annual affirmation of compliance with CMMC requirements.
Additionally, for most organizations that must attain CMMC Level 2, an independent third-party must
assess implementation of NIST SP 800-171. A very small subset of defense contractors that support
critical DoD programs will also need to achieve CMMC Level 3 and will be assessed by the Defense
Industrial Base Cybersecurity Assessment Center (DIBCAC). CMMC Level 3 is the only level that will
Cyber Defense eMagazine – February 2024 Edition 32
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
