What is CMMC?
Since 2016, the Department of Defense (DoD) has been increasing its cybersecurity requirements for Defense Industrial Base (DIB) partners, particularly concerning implementing NIST SP 800-171 controls. The Cybersecurity Maturity Model Certification (CMMC) is a compliance model supported by the DoD aimed at protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The CMMC program protects sensitive, unclassified information shared between the DoD, its contractors, and subcontractors. CMMC introduces third-party evaluation and approval as a prerequisite for contract awards, requiring contractors to maintain specified levels of security across various aspects of their operations.
CMMC Glossary
- Organizations Seeking Certification (OSC): The organization is undergoing the CMMC assessment process to achieve certification for a specific environment.
- Certified Third Party Assessment Organization (C3PAO): An entity with at least two assessors associated and holding a license to conduct CMMC assessments for organizations seeking certification.
- CMMC Accreditation Body (AB): The accreditation body establishes and oversees a qualified, trained, and high-fidelity community of assessors. These assessors deliver consistent and informative assessments to participating organizations against a defined set of controls and best practices within the CMMC program.
CMMC 2.0
The DoD has launched an evolved CMMC 2.0, focusing on reducing barriers to compliance for small and mid-sized firms. With its simplified requirements, CMMC 2.0 allows self-assessment for some requirements, prioritizes protecting DoD information, and strengthens cooperation between the DoD and industry to address evolving cyber threats. It is structured into three compliance levels, with Level 3 required to handle the most sensitive CUI or confidential data. The proposed CMMC 2.0 Program Rule is expected to become a final, published rule by the end of 2024. Official CMMC audits for Defense contractors can begin after that.
The changes from CMMC 1.0 to CMMC 2.0 were made to increase trust in the CMMC assessment ecosystem and clarify and align cybersecurity requirements with other federal and commonly accepted standards. Due to streamlined requirements and increased oversight of the assessment ecosystem, CMMC assessment costs are projected to be lower relative to CMMC 1.0.
CMMC Assessments and Certification
The CMMC 2.0 implementation will require annual self-assessments at the assigned level. Triennial assessments will be required when CMMC certification is necessary, with the assessments provided by the Government or authorized and accredited assessors. The DoD will have access to assessment information and data, which will be stored in the SPRS and eMASS databases, but the assessment results will not be made public. For more detailed answers to your CMMC 2.0 questions, visit https://dodcio.defense.gov/CMMC/FAQ/.
Implementing CMMC-Compliant Technology
Government contractors of all sizes face challenges adapting to the constantly changing security landscape. Many contractors prioritize selecting an ERP solution to support their CMMC 2.0 compliance efforts by meeting DFARs requirements such as NIST 800-171, ITAR, and FedRAMP Moderate controls. Deltek Costpoint is the top choice for government contractors of all sizes. This all-in-one solution connects project data and processes, introducing time-saving automation and innovation throughout the entire project lifecycle. It revolutionizes operations from accounting to the shop floor and ensures compliance with government regulations, including cybersecurity.
Whether you want to learn more about how Deltek Costpoint can benefit your business or need assistance implementing the software to integrate with your existing systems, PCI is a proud award-winning Deltek partner. Contact us today, and our experts will be happy to assist you in meeting your business’s needs.
