Who needs CMMC certification?…
By 2026, most defense contractors conducting work for the DoD – other than those managing Commercial Off The Shelf (COTS) – will need to achieve CMMC certification. The level of certification you need will depend on the requirements spelled out in your contract.
-
- 3 MAIN OBJECTIVES:
Companies that have a FAR 52.204-21 (a subset of DFARS requirements) in their contract and handle only FCI will need to achieve CMMC Level 1. This will not require 3rd party certification. Instead, the contractor must specify the people, technology, facilities and external providers within their environment that process, store or transmit FCI. Companies will be required to self-certify once per year that they meet the basic safeguarding requirements for FCI specified in FAR clause.
Companies that have a DFARS 7021 clause in their contract and handle CUI will need to achieve CMMC level 2. This requires passing a third-party assessment every three years. The DoD has rolled back earlier statements that it will bifurcate level 2 requirements and allow for limited self-attestation. Instead, all organizations seeking level 2 will need to self-assess every year and undergo a formal assessment by an accredited C3PAO or certified CMMC Assessor once every 3 years.
Companies handling the most sensitive information will need to achieve CMMC Level 3 (Expert) compliance. These companies will have a DFARS 7021 clauses in their contract. To achieve level 3, they will need to meet the security requirements specified in NIST SP 800-171 plus a subset of requirements specified in NIST SP 800-172. The DoD is still in the process of determining how organizations seeking level 3 compliance will be assessed. However, those companies will require a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) audit to achieve compliance.
How does CMMC Differ from NIST 800-171?
CMMC and NIST 800-171 share the exact same 14 levels and 110 controls. “CMMC is just the validation program that people have done what they already agreed to do in complying and establishing the requirements of NIST 800-171 in their current networks.”
NIST 800-171 has applied to all organizations handling CUI since 2017, so organizations should already have a good grasp of cybersecurity requirements under CMMC.
While CMMC doesn’t change cybersecurity requirements for organizations handling sensitive information, it steps up enforcement of those requirements. Companies were previously allowed to self-assess their compliance with NIST 800-171, but under CMMC they will be subject to third party assessments.
Assessment by C3PAOs will ensure that compliance scores are objective. Companies that are unable to meet all controls at the time of assessment may be granted strictly time-limited POAMs, however these will be granted selectively and cannot be applied to the more challenging controls. All POAMs will also need to be closed out within a 180 day deadline and are thus a tool to improve CMMC accessibility, but not a CMMC solution themselves.
Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.
Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.
Contact our CMMC Registered Practitioners today by clicking here.
Brea Networks, LLC / CMMCCompliance.us
451 W. Lambert Rd Suite 214
Brea, CA 92821
Tel: (714) 592-0063
