The Cybersecurity Maturity Model Certification (CMMC) program, at its core, is an effort by the U.S. Department of Defense to protect sensitive data managed by its private industry partners where the information does not meet the threshold for classification, but could still detrimentally impact U.S. national security interests.
What is Controlled Unclassified Information (CUI)?
Executive Order 13556 established a formal definition of Controlled Unclassified Information (CUI) in 2010 with the intent to address the patchwork of classification schemes for unclassified information used across the federal government. Specifically, CUI is information which “requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and Government-wide policies.”[1]
Since 2010, the U.S. National Archives and Records Administration (NARA) has defined 20 groupings comprised of over 100 categories of Controlled Unclassified Information and maintains a listing in their CUI registry.[2] This registry includes a description of each CUI category as well as labeling requirements and cites the legislative authority which justifies the category’s designation as CUI.
In brief, CUI is information which requires protection due to U.S. federal law, regulation, or policy but is not classified under Executive Order 13526 “Classified National Security Information.”[3]
How did we get from CUI to CMMC?
Since 2017, the DoD has required contractors to self-attest to their compliance with the requirements of NIST Special Publication 800-171 under Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012. However, this method of self-attestation proved to be insufficient as data breaches involving CUI were common for organizations that self-attested to meeting the requirements, resulting in the formation of the Civil-Cyber Fraud Initiative by the U.S. Department of Justice.[4]
To provide a verifiable method of ensuring DoD contractors were implementing the controls in NIST SP 800-171, the DoD developed CMMC version 1.0 as an interim rule via DFARS Case 2019-D041 in 2020.[5] After receiving feedback from DoD contractors in the Defense Industrial Base (DIB), the DoD released a revised version of the CMMC program (2.0) in late 2021.[6] This version establishes three levels of certification based on the type of information accessed by a given contractor.
How does NIST SP 800-171 relate to CMMC?
As mentioned above, the DoD has defined NIST SP 800-171 as the foundation of the CMMC program. NIST SP 800-171 is a framework of 110 requirements identified as adequate to protect CUI. These requirements are broken into 14 families based on their topic (e.g., Access Control, Personnel Security, etc.).[7]
While the CMMC rule was originally specified as leveraging the version of NIST SP 800-171 "in effect at the time solicitation is issued" by the DoD, a memo issued in May of 2024 has indicated that NIST SP 800-171 Revision 2 will be used until further notice.[8]
When will CMMC go into effect?
Due to the complexity of rulemaking within the U.S. federal government and the DoD, the CMMC rule is expected to be finalized in late 2024/early 2025 and enforcement within DoD contracts as DFARS 252.204-7021 via a phased rollout expected to begin by October 2025. At that point, DoD contractors will be required to have achieved CMMC compliance and received attestation from a Certified Third-Party Assessor Organization (C3PAO) prior to be awarded DoD contracts.
Why should I start preparing for CMMC now?
Preparing for CMMC is a time-consuming process with many variables, including:
What level of certification will be required
The size and complexity of your organization
The amount of interconnectivity between your IT systems, your partners’ IT systems, and your service providers (including cloud platforms)
Implementing the full suite of 110 controls can take an organization 12 to 18 months. Ensuring you're able to meet these requirements is imperative to continuing to take DoD contracts once the CMMC rule goes into effect.
This can be an intimidating process, so Triumvirate Cybersecurity offers a suite of services to help our customers figure out where they are now and what they need to do to walk into their CMMC assessment with confidence. Review our services and contact us to discuss how we can help you go from CMMC-curious to CMMC certified!