Cybersecurity Maturity Model Certification (CMMC)
CMMC is a framework created by the U.S. Department of Defense (DoD) to assess an organizations' cybersecurity maturity level. Its goal is to reduce the risk of loss and ensure the protection of Federal Contract Information (FCI), Controlled Unclassified Information (CUI), and other sensitive information within the Defense Industrial Base (DBI) supply chain. CMMC is being rolled out over the next five years and will be valid for three years barring any incidents. This certification consists of five levels of maturity which contain practices and processes based on various cybersecurity standards and regulations, such as NIST SP 800-171, Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, etc. A third-party assessment performed by a Certified Third-Party Assessment Organization (C3PAO) is required to obtain the CMMC.
Interim DFARS Rule
The interim Defense Federal Acquisition Regulation Supplement rule (DFARS 252.204-7021) is a major rule change which went into effect on 11/30/2020. This rule change adds three new clauses to the original one which mandates compliance with NIST 800-171 for entities handling CUI. Two of the new clauses introduce and establish the CMMC requirements. The third one requires companies handling CUI to complete a self-assessment or Basic Assessment. This must be done using the DoD Assessment Methodology and a score must be generated. This score along with the gap remediation date into the Supplier Performance Risk System (SPRS). When the contract is awarded, a DoD contracting officer will verify the uploaded score. The DoD will then perform risk-based assessments to determine which company will be awarded the contracts.
Certified Third-Party Assessment Organization (C3PAO)
A C3PAO is an organization authorized and accredited by the CMMC-Accreditation Board (CMMC-AB) to perform certification assessments for Defense Industrial Base (DBI) companies, issue CMMC certificates at the appropriate level based on the assessment results and provide advice. These organizations are required to meet all DoD requirements and obtain accreditation from the CMMC-AB.
What level of CMMC is needed?
Level 1 certification will be required for all companies and institutions in contract with the DoD. Level 3 certification will be required for any contract handling CUI. At present, Drexel University plans to acquire a Level 3 certification.
What will CMMC cost?
The DoD will cover the costs associated with CMMC, including CMMC audits and the efforts undertaken to prepare for them. This is part of the DoD's emphasis of the mission critical nature of cybersecurity to the country's defense.
What is NDAA 889?
The National Defense Authorization Act Section 889 (NDAA 889) is an amendment to the Federal Acquisition Regulation (FAR). It prohibits government agencies from entering, extending, or renewing a contract with an entity using equipment, system(s), or service(s) classified as covered telecommunications and video surveillance equipment or services.
The US Government updates this rule periodically. In addition to the list of companies below and their subsidiaries and affiliates, the list of prohibited entities now includes other entities believed to be owned, controlled by, or connected to either the People's Republic of China or the Russian Federation.
- Huawei Technologies Company
- ZTE Corporation
- Hytera Communications Corporation
- Hangzhou Hikvision Digital Technology Company
- Dahua Technology Company
Drexel will have to certify that any equipment, systems, or services used in research or other work with the Government do not contain any covered telecommunications and video surveillance equipment or services covered under NDAA 889. Purchasing equipment and services from these vendors could jeopardize Drexel's ability to receive federal funding.
How does it affect Drexel?
Individuals or groups seeking to do business with the DoD should:
- Review the Request for Information (RFI) and Request for Proposal (RFP) for the appropriate CMMC level.
- Ensure the appropriate cybersecurity measures in place for the required CMMC level.
- Possess the appropriate level of CMMC certification before accepting an award.
- Ensure compliance with the NDAA 889 regulation.
- Comply with the interim DFARS rule.
Interim DFARS rule:
Contact firstname.lastname@example.org if you have any questions.