CMMC is a certification process related to a compliance level system derivative of NIST 800-171. NIST 800-171 is a framework of controls that any non-Federal computer system must follow to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems. CMMC helps the Department of Defense (DoD) determine whether an organization has dedicated adequate resources to provide appropriate security to work with controlled or otherwise vulnerable data.
Small and medium-sized businesses face additional challenges when seeking CMMC certification than larger enterprise businesses with more personnel and resources.
The first thing a DoD contractor must determine is what level of compliance your company must meet. Level 1 (Foundational) pertains to systems that process, store, or transmit Federal Contract Information (FCI). Level 1 compliance is based on 17 controls found in Federal Acquisition Regulations 52.204-21. Level 2 (Advanced) pertains to systems that process, store, or transmit Confidential Unclassified Information (CUI). Level 2 will mirror NIST 800-171 with 14 categories and 110 security controls. Level 3 (Expert) focuses on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on DoD’s highest priority programs. Level 3 is based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls. Most small to medium-sized businesses will only be concerned with Level 1 and Level 2.
After a company has decided on which level of compliance it desires to achieve, it will conduct a self-assessment of its current compliance posture and enter that score into the Supplier Performance Risk System (SPRS). For example, scores for Level 2 can range from -196 to +110.
When the Contractor’s score is uploaded into SPRS, then the hard work begins to improve that score until they reach the appropriate level of CMMC certification dictated by whether the company transmits, processes, or stores FCI or CUI. The responsibility of compliance cannot be delegated to a third party. A third party such as Nomerel can greatly assist a Contractor in implementing toolsets, producing documentation such as Plan of Actions and Milestones (PoAM) and System Security Plan (SSP), and creating policies and procedures. However, the ultimate responsibility for compliance rests in the adherence of the Contractor’s employees to the policies and procedures.
Once a Contractor feels they have achieved their selected level of compliance, there must be an assessment to verify and certify the compliance. DoD intends for Contractors required to be compliant with Level 1 to be allowed to conduct a self-assessment for CMMC. The self-assessment of the Contractor’s network(s) will be required annually, accompanied by a yearly affirmation, under penalty of law, from a senior company official that the company is meeting requirements.
Likewise, a subset of programs with Level 2 requirements that do not involve information critical to national security and associated contractors may be allowed to conduct self-assessments as well. This self-assessment will also require a yearly affirmation from a senior company official that the company is meeting requirements.
Those vendors involved in programs that affect information critical to national security will be required to obtain a third-party assessment. These third-party assessments will be conducted by CMMC Third Party Assessment Organizations (C3PAOs). C3PAOs are listed on the CMMC-AB Marketplace. After completing the CMMC assessment, the C3PAO will provide an assessment report to the DoD.
In conclusion, attaining CMMC can be a daunting task if a Contractor tries to do it by themselves while managing their day-to-day business. Nomerel’s security and technology experts can help Contractors needing Level 1 or Level 2 CMMC. We have a CMMC Registered Practitioner for consultation and to guide the process and technology experts to implement toolsets, write policies and procedures, provide documentation and verification of compliance and assist in any assessments. Please contact us for more information.