For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.

Cybersecurity Maturity Model Certification (CMMC)

CMMC is a program created by the U.S. Department of Defense (DoD) to protect the Defense Industrial Base (DIB) from cyber attacks and augment the protection of sensitive information, such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), within its supply chain. This program has its own framework consisting of cybersecurity requirements to which entities seeking to do business and/or enter into a contract with the DoD will soon be required to comply and be certified against.

Recently, the DoD updated the CMMC framework to version 2.0. This updated version, consists of three maturity levels containing practices based on established cybersecurity requirements and regulations, such as NIST SP 800-171, Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, etc. Third-party assessments are required for certain levels of certification and must be performed by a CMMC Third-Party Assessment Organization (C3PAO).

Currently, this framework is in the rulemaking process which takes about 9-24 months and will result in the finalization and enforcement of these requirements in DoD contracts. This information is subject to change until the conclusion of the rulemaking process.

 

CMMC Model 2.0 Levels


Interim DFARS Rule

The interim Defense Federal Acquisition Regulation Supplement rule (DFARS 252.204-7021) is a major rule change which went into effect on 11/30/2020. This rule change adds three new clauses to the original one which mandates compliance with NIST 800-171 for entities handling CUI. Two of the new clauses introduce and establish the CMMC requirements. The third one requires companies handling CUI to complete a self-assessment or Basic Assessment. This must be done using the DoD Assessment Methodology and a score must be generated. This score along with the gap remediation date into the Supplier Performance Risk System (SPRS). When the contract is awarded, a DoD contracting officer will verify the uploaded score. The DoD will then perform risk-based assessments to determine which company will be awarded the contracts. The rule extends all the above requirements to any subcontractors.

FAQs

    What level of CMMC Certification is needed?

    Level 1 certification will be required for all companies and institutions in contract with the DoD. Level 2 certification will be required for any contract handling CUI. At present, Drexel University plans to acquire a Level 2 certification.

    What is a "C3PAO"?

    A “C3PAO” or CMMC Third-Party Assessment Organization is an entity certified to provide consultative advice OR certifies assessments.

    What is NDAA 889?

    The National Defense Authorization Act Section 889 (NDAA 889) is an amendment to the Federal Acquisition Regulation (FAR). It prohibits government agencies from entering, extending, or renewing a contract with an entity using equipment, system(s), or service(s) classified as covered telecommunications and video surveillance equipment or services.

    The US Government updates this rule periodically. In addition to the list of companies below and their subsidiaries and affiliates, the list of prohibited entities now includes other entities believed to be owned, controlled by, or connected to either the People's Republic of China or the Russian Federation.

    • Huawei Technologies Company
    • ZTE Corporation
    • Hytera Communications Corporation
    • Hangzhou Hikvision Digital Technology Company
    • Dahua Technology Company
    • Kaspersky Labs

    Drexel will have to certify that any equipment, systems, or services used in research or other work with the Government do not contain any covered telecommunications and video surveillance equipment or services covered under NDAA 889. Purchasing equipment and services from these vendors could jeopardize Drexel's ability to receive federal funding.

    How does it affect Drexel?

    Meeting all CMMC requirements is important in order to remain eligible for DoD research contracts. Not being compliant may impact Drexel’s research status.

    Individuals or groups seeking to do business with the DoD should:

    • Review the Request for Information (RFI) and Request for Proposal (RFP) for the appropriate CMMC level.
    • Ensure the appropriate cybersecurity measures in place for the required CMMC level.
    • Possess the appropriate level of CMMC certification before accepting an award.
    • Ensure compliance with the NDAA 889 regulation.
    • Comply with the interim DFARS rule.

Additional Resources

CMMC:

NDAA 889:

Interim DFARS rule:

Other resources:

Contact informationsecurity@drexel.edu ​if you have any questions.