Support: 800-699-0925 Sales: 800-481-1984

SysArc

IT Company

CMMC News & Updates

Here you will find executive summaries of the latest updates to the Cybersecurity Maturity Model Certification (CMMC) from the Accreditation Body, CMMC-AB.

2024 CMMC Update: DoD Outlines 4 Phase Approach To Implement CMMC

The Department of Defense (DoD) has outlined its four (4) phase approach for the inclusion of Cybersecurity Maturity Model Certification (CMMC) Program requirements in solicitations and contracts. The first phase is expected to begin in the 1st quarter of 2025, after The Office of Information and Regulatory Affairs (OIRA) approval, and conclude with the fourth phase expected around September 2027.

Please note: These dates reflect our expectations based on the information provided by the DoD. Therefore, these dates may change. We will update our site as soon as new information becomes available.

Phase Timeline:

  • Phase 1 (1st quarter of 2025): Begins on the effective date of the CMMC revision to DFARS 252.204–7021
  • Phase 2: Begins six months following the start date of Phase 1
  • Phase 3: Begins one calendar year following the start date of Phase 2.
  • Phase 4: Full Implementation. Begins one calendar year following the start date of Phase 3.

For details on each phase, please see our full article here. Read our recommendations for DoD contractors here.

DoD Releases CMMC 2.0 – November 4th, 2021

On November 4th, 2021, the DoD released CMMC 2.0 which includes several updates and changes to the original framework.

Summary of Key Updates from CMMC 1.0 to CMMC 2.0:

  • Only 3 CMMC Levels: CMMC Levels 2 and 4 from the original CMMC framework have been eliminated, leaving only 3 current CMMC Levels. These Levels are detailed below.
  • Level 1: Now only requires an annual self-assessment and affirmation by company leadership. No changes to the 17 basic cyber hygiene practices required.
  • Level 2: The “old” CMMC Level 3 now becomes Level 2. 20 controls have been eliminated from the original framework’s Level 3 requirements, leaving contractors only having to implement the 110 controls from NIST 800-171. The DoD will identify “prioritized acquisitions” that must undergo an independent third-party assessment against the new Level 2 requirements. All other organizations will only need to perform a self-assessment and affirmation by company leadership.
  • Level 3: This level will replace CMMC Levels 4 and 5 from the original framework. While details are still being worked out, it is expected that this level will include controls from NIST SP 800-172 and assessments will be government-led.

For more details, please see our “CMMC 2.0 – Key Takeaways For DoD Contractors” post.

CMMC-AB National Conversation – May 28th, 2020 – Executive Summary

The following video is part of a series called National Conversations output by the CMMC-AB (Cybersecurity Maturity Model Certification Accreditation Body). CMMC-AB is a volunteer accreditation body informed by industry practitioners to create clear, operational standards for CMMC certification.

May 28, 2020—Committee member Regan Edens from the Standards Management Committee for the CMMC discusses the following updates regarding the implementation and standardization of the CMMC model. The goal of the Standards Management Committee is to make CMMC standards consistent, consumable, and clarified for Organizations Seeking Certification (OSC), CMMC professionals, assessors, and stakeholders.

Understanding the Lexicon

Edens explains that understanding the new lexicon used in the CMMC documentation is critical to understanding how compliance regulations should be met. Understanding key CMMC terms is crucial to passing a third-party assessment. Edens notes that there’s a difference in how the model is structured from DFARS 7012, so it’s important that DoD contractors understand those differences and how the lexicon varies.

Key Terms

  • CUI: Controlled Unclassified Information.
  • FCI: Federal Controlled Information (FCI is not addressed within DFARS compliance, so it’s critical that DoD contractors know whether or not they house FCI). FCI is regulated and protected in a similar way to CUI and is reflected on all levels of maturity.
  • CMMC model: The documentation that houses the set of practices that organizations must follow to meet each level of cybersecurity maturity. It’s important to note that the model is designed to be agile, so the practices within the CMMC reference the standards for compliance, but because those standards will change to reflect the evolving threat landscape, the CMMC uses a resilient model to avoid radical change to the model when standards need to be updated.
  • Core requirements or standards: What the law requires organizations that house FCI and CUI to do to maintain adequate cybersecurity.
  • Practices: Capabilities that organizations should achieve, which reflect those core requirements or standards.

The CMMC Model: Practices Within the 5 Levels of Maturity

This current CMMC framework outlines the fundamental practices that the committee suggests DoD contractors focus on now to work towards achieving CMMC compliance.

These levels revolve around protecting regulated data (CUI/FCI). Any organization that houses FCI must comply with at least Level 1 of maturity. Focus on the fundamentals of your policies and procedures right now:

  • Level 1: Focused on protecting FCI. You must meet, at the minimum, 15 practices outlined in 48 CFR 52.204-21 and FAR 52.204-21. Keep in mind that these 15 safeguarding requirements from 48 CFR 52.204-21 correspond to the 17 security requirements NIST SP 800-171. All 17 requirements must be met for any organization housing FCI.
  • Level 2: Focused on protecting FCI. You must meet an additional 55 practices outlined in 48 CFR 52.204-21 and FAR 52.204-21.
  • Level 3: Focused on protecting FCI and CUI. Minimum security requirements for safeguarding CUI. If you house CUI, you must meet these requirements. You must meet an additional 58 practices outlined in 48 CFR 52.204-21 and FAR 52.204-21.
  • Level 4: Focused on protecting FCI and CUI. You must meet an additional 26 practices outlined in 48 CFR 52.204-21 and FAR 52.204-21.
  • Level 5: Focused on protecting FCI and CUI. You must meet an additional 15 practices outlined in 48 CFR 52.204-21 and FAR 52.204-21.

Recommendations for DoD Contractors Required to Comply with DFARS 252.204-7012

Edens notes particular recommendations for those organizations wondering how the relationship between achieving DFARS 7012 compliance and CMMC certification will operate. He says these organizations should focus on three main priorities:

Achieving strict DFARS 252.204-2012 Compliance. Edens explains that the DoD has increased their enforcement of these regulations, so it is imperative that these be met first. NIST 800-171 is the standard for the current DFARS requirements, but it’s also the cornerstone for the CMMC standard and will help you prepare for third-party assessments.

Finishing Your POA&Ms. Establishing your POA&Ms, according to the committee, will bring you 90–95% of the way to CMMC compliance. The CMMC recognizes that these organizations have a heavy investment in complying with DFARS 7012 requirements and establishing their POA&Ms and has taken that into consideration for creating CMMC requirements.

Understanding and Preparing to Achieve Level 3 Compliance. As you work through this process to comply with DFARS 252.204-7012, Edens urges contractors to understand important distinctions of CMMC compliance. Most importantly, organizations should consider the scope of their enterprise and where they are storing FCI and CUI. CMMC certification depends on you localizing this data as much as possible. Consolidating your regulated data to track its workflow will help you avoid making your compliance challenges more onerous. The CMMC is designed to benefit each organization as well as protect the value of FCI and CUI, and consolidating data helps organizations improve Six Sigma goals such as improving organizational output and efficiency.

Your Questions Answered

Am I on the Right Track?

For organizations looking to understand whether they’re on the right track to meeting CMMC compliance regulations, Edens says evaluate the capabilities under the model that you are able to achieve. If your organization meets the capabilities of the level of maturity you need to meet, you’re on the right track to the organizational outcomes for that level of certification. From there, it becomes a matter of refining your processes and procedures to better meet the goals of the CMMC.

Where Can I Find Help?

Implementation is challenging. Edens suggests organizations watch out for the professionals helping you get compliant (avoid at all costs businesses who advertise “DFARS compliance in three days,” for example). Look for professionals with expert knowledge that can provide the latest and most accurate information on CMMC certification.

How SysArc Can Help:

We’ve helped over 1,000 DoD contractors throughout the U.S. navigate the complexities of DFARS, NIST 800-171, and now CMMC. Through our many experiences, we’ve fine-tuned several solutions that enable our clients to prepare to achieve compliance faster and at a lower cost compared to other solutions that have been popping up in the market recently.

To speak with our team about your company’s needs or the needs of your suppliers, give us a call at (866) 583-6946 or request a CMMC consultation online now.

CMMC-AB National Conversation – May 26th, 2020 – Executive Summary

The following video is part of a series called National Conversations output by the CMMC-AB (Cybersecurity Maturity Model Certification Accreditation Body). CMMC-AB is a volunteer accreditation body informed by industry practitioners to create clear, operational standards for CMMC certification.

May 26, 2020—The CMMC-AB Credentialing Committee Chair, Jeff Dalton, discusses the following updates regarding the standardization of the CMMC credentialing and accreditation frameworks. The Credentialing Committee defines and examines the requirements of certified roles such as assessors, instructors, and auditors that are involved in the accreditation process.

Key Terms

Credentialing: Certification process for individuals.
Accreditation: Licensing process for organizations.
Credentialed Professionals: Individuals who have completed AB-prescribed coursework and examinations and are authorized to deliver AB-certified CMMC services.
Provisionally Credentialed Professionals: Individuals who are part of the “beta” group of individuals authorized to conduct CMMC Assessments during the short-term beta period. These Professionals are limited to providing services for organizations that are bidding on specific contracts identified by the DoD.
Accredited Organizations: Companies, institutions, or agencies that are licensed to deliver AB-certified CMMC services such as training and assessments.
C3PAO: Certified Third-Party Assessment Organizations. Each C3PAO must be certified by the CMMC-AB prior to deploying its assessors into the field.

Framework for Credentialed Professionals and Accredited Organizations

Each framework is designed to be scalable and handle the extensive volume of accreditations that will need to be completed. These frameworks define specific certification roles for credentialed professionals and accredited organizations.

Framework for Credentialed Professionals:

  • Certified CMMC-AB Professional (CP): A gateway Certification that is a prerequisite for becoming a Certified Assessor or Instructor. Also used as recognition for a professional who may provide internal or external CMMC consulting or who wants to be part of a CMMC Assessment Team led by a CA.
  • Certified CMMC-AB Assessor (CA): A professional authorized to conduct CMMC Assessments for ML1–ML5 and to award Maturity Levels subject to CQA approval.
  • Certified CMMC-AB Instructor (CI): A professional authorized as an instructor to deliver CMMC Model Training and CMMC Assessor Training as a Licensed Training Provider (LTP).
  • Certified CMMC-AB Master Instructor (CMI): CMMC-AB Team Member (initially) trained to authorize the instructors that work for LTPs teaching CMMC-AB Professional and Assessor classes.
  • Certified CMMC-AB Quality Auditor (CQA): CMMC-AB Team Member authorized to review and approve assessments submitted by Certified Assessors using criteria and a baseline.
Additional Notes:

There will be different levels of assessors (Certified Level 1 Assessors, Certified Level 3 Assessors, and so forth), and each of these Certified Assessors can assess for the Level they are credentialed for as well as the Levels below that. This also applies to each Level that Instructors are certified to teach.

Framework for Provisionally Credentialed Professionals:

  • Provisional Assessor (PA): An AB-authorized CMMC Assessor who has completed the initial CMMC Model and Assessment training and examination. They will carry the full authority of a Certified Assessor for a limited period of time and will participate in retrospective reviews and improvement workshops based on their experience. PAs will be limited to conducting CMMC Assessments with organizations identified by the DoD during the beta period.
  • Provisional Assessment Team Member (PATM): An experienced individual who is authorized to assist an Assessor as an Assessment Team Member during an Assessment. PATMs must complete training provided by the Provisional Assessor that includes CMMC Model and Assessment content provided by the CMMC-AB to the C3PAO. Qualified PATMs can participate in Assessments for as long as the PA’s credential is valid.
Additional Notes:

While there may not be a limit to the number of Credentialed Professionals who can become certified, there will be a limit to the number of Provisional Credentialed Professionals who operate during the beta period.

Framework for Accredited Organizations

  • Certified Third-Party Assessment Organization (C3PAO): An entity that is licensed by the CMMC-AB to enter into a contract to deliver a Certified CMMC Assessment conducted by a Certified Assessor (CA) or Authorized Provisional Assessor (APA) that is either an employee or contractor under a written agreement.
  • Licensed Training Provider (LTP): A commercial or academic organization licensed by the CMMC-AB to leverage materials produced by Licensed Partner Publishers to deliver training that leads to the certification of CMMC-AB Professionals, Assessors, and Instructors.
  • Licensed Partner Publisher (LPP): A commercial or academic organization licensed by the CMMC-AB to produce training curriculum and materials based on AB Learning Objectives and Exams and subsequently licensed by a Licensed Training Provider.
  • Organization Seeking Assessment (OSA): An Accreditation provided to an organization or unit that has achieved CMMC Maturity Level 1–5 when performed by a qualified CA.

Your Questions Answered

How Can Companies Interested in Becoming a C3PAO in the Beta (or Pathfinder) Period Register Their Interests?

You can currently go to the CMMC-AB website to register your interest as a C3PAO. In the next couple of weeks or so, there will be a new site coming that will include an application process to become C3PAOs. Each application will be individually evaluated by the AB.

Will C3PAOs Be Required to Obtain a CMMC Certification?

Yes, C3PAOs will eventually be required to obtain Level 3 CMMC certification. There will be a yet-to-be-defined grace period for this to be completed.

How SysArc Can Help:

We’ve helped over 1,000 DoD contractors throughout the U.S. navigate the complexities of DFARS, NIST 800-171, and now CMMC. Through our many experiences, we’ve fine-tuned several solutions that enable our clients to prepare to achieve compliance faster and at a lower cost compared to other solutions that have been popping up in the market recently.

To speak with our team about your company’s needs or the needs of your suppliers, give us a call at (866) 583-6946 or request a CMMC consultation online now.

CMMC-AB National Conversation – May 21st, 2020 – Executive Summary

The following video is part of a series called National Conversations output by the CMMC-AB (Cybersecurity Maturity Model Certification Accreditation Body). CMMC-AB is a volunteer accreditation body informed by industry practitioners to create clear, operational standards for CMMC certification.

May 21, 2020—The CMMC-AB Training Committee Chair, Ben Tchoubineh, discusses the following updates regarding the CMMC-AB training and certification framework. The Training Committee defines ongoing training requirements and plans for CMMC auditors and assessors.

Phased Rollout Plan for Training

Phase 1: Provisional Program (3–6 Months)

The training material for the provisional program was developed by the DoD and is currently being reviewed, finalized, and tested. This phase, which will begin this summer, was created for initial training purposes.

Main Objectives for Phase 1:
  • Meet the DoD’s aggressive timeline
  • Achieve controlled implementation within a limited scope
  • Generate a feedback loop to incorporate lessons learned into formal program
  • Train assessors up to Level 3
  • Select 60 candidates to be part of “First Class” group of seasoned auditors and assessors

Phase 2: Formal Program (Long Term)

Phase 2 is currently in development and will be rolled out immediately following Phase 1. Phase 2 is designed to leverage an extensive partner network to scale up training to meet market demand. In this phase, the CMMC-AB will credential multiple levels of professionals.

Main objectives for Phase 2:
  • Promote innovation and flexibility
  • Sustain multiple formats (for universities, online, training centers, etc.)
  • Be scalable through partnerships
  • Standardize objectives and certification testing through a central Body of Knowledge

“First Class” Group of Assessors in Phase 1

To meet the needs and quick scheduling requirements of the initial training phase, a group of highly experienced auditors and assessors will be selected to participate in initial training and testing. Details of the application process for C3PAOs are forthcoming.

This group of auditors will:
  • Be highly experienced
  • Participate in initial training course once material has been finalized
  • Assess initial DIB companies in close collaboration with CMMC-AB
  • Engage in feedback loop for lessons learned to be incorporated into the CMMC-AB assessment methodology
  • Be initially certified by AB to assess DIB organizations up to Level 3, later up to Level 5

Formal Program: CMMC-AB Credentialed Professionals Hierarchy

There will eventually be several tracks for credentialed professionals as this phase develops, such as tracks for IT professionals, compliance officers, and consultants. However, the initial track is the assessor track, which includes elements that will become the baseline for all tracks.

  1. First Tier: CMMC-AB Certified Professional (CP)
  2. Second Tier: CMMC-AB Certified Assessor Maturity Level 1 (CA1)
  3. Third Tier: CMMC-AB Certified Assessor Maturity Level 3 (CA3)
  4. Fourth Tier: CMMC-AB Certified Assessor Maturity Level 5 (CA5)

Certified CMMC-AB Assessors (as well as Instructors) will be able to assess or instruct for the Levels for which they are certified and below. A CA3, therefore, may assess for Levels 1, 2, and 3. The formal program will allow those with military experience and those with either a college degree or equivalent experience to apply to the track to become credentialed professionals.

Formal Program Framework

The steps of the formal program framework (Phase 2) are as follows:

  1. CMMC-AB maintains online CMMC-BOK (Body of Knowledge) and develops and delivers certification exams.
  2. Licensed Partner Publishers (LPPs) develop CMMC-AB approved curriculum for online or in-person consumption.
  3. Licensed Training Providers (LTPs) deliver approved certified training curriculum to students facilitated by a CMMC-AB Certified Instructor.
  4. Student Candidates attend training offered by LTP and take certified exams delivered by CMMC-AB.

Your Questions Answered

How is the CMMC-AB Training Committee attempting to meet COVID-19 challenges?

The Training Committee has done extensive research on online training resources and testing applications to ensure COVID-19 regulations can be met during each phase. The committee aims to do as much as they can remotely while also ensuring training is highly controlled.

Will Companies Be Able to Hire Subcontractors to Do Their Assessments, and Will the Subcontractors Need to Meet CMMC Requirements?

Yes, you can hire a CP (Certified Professional) or consultant to come assess your network to make sure it is compliant prior to getting an official assessment. However, for the assessment to be accepted by the CMMC-AB, you need to hire a C3PAO who is certified by the CMMC-AB to assess your organization.

How SysArc an Help You Prepare for an Assessment:

We’ve helped over 1,000 DoD contractors throughout the U.S. navigate the complexities of DFARS, NIST 800-171, and now CMMC. Through our many experiences, we’ve fine-tuned several solutions that enable our clients to prepare to achieve compliance faster and at a lower cost compared to other solutions that have been popping up in the market recently.

To speak with our team about your company’s needs or the needs of your suppliers, give us a call at (866) 583-6946 or request a CMMC consultation online now.

CMMC-AB National Conversation – May 18th, 2020 – Executive Summary

The following video is part of a series called National Conversations output by the CMMC-AB (Cybersecurity Maturity Model Certification Accreditation Body). CMMC-AB is a volunteer accreditation body informed by industry practitioners to create clear, operational standards for CMMC certification.

May 18, 2020—This discussion is led by Ty Schieber, Board Chairman of the CMMC-AB; Katie Arrington, Chief Information Security Officer for the Acquisition Department of Defense; and Shannon Jackson, Deputy Director of the Department of Defense Office and Small Business Programs. This discussion introduces a series of national conversations regarding the CMMC implementation and rollout.

Preparing for the CMMC Rollout: Your Questions Answered

What is the CMMC-AB?

The CMMC-AB is the only authorized organization by the DoD accreditation body who can train and license CMMC-accepted auditors or C3PAOs for the Department of Defense.

Currently, there is no organization certified to do audits in any companies for a CMMC certification that the Department of Defense will accept. However, there are organizations which can act as consultants to help you prepare for audits. The CMMC-AB is working diligently to get standardized the in-training pathfinder for the auditors, who will then provide official certifications.

How is the CMMC-AB Organized to Meet the Needs of CMMC Implementation?

The accreditation body has established seven standing committees:

  • Standards
  • Accreditation and Credentialing
  • Training
  • Infrastructure
  • Nominations and Governance
  • Finance
  • Communications

Each of these committees sponsors working groups that gather stakeholders and their input across the entire ecosystem of the CMMC. This process is well underway; many working groups have already gathered and concluded their work. Others will meet in the near future.

Once the working groups meet and formulate framed approaches to the challenges of implementation of the CMMC, they will bring those recommendations to the committees, which are all chaired by board directors. Those directors then bring the recommendations to the board for final decisions. Though the board hasn’t made decisions on the specific mechanics of CMMC implementation, they are nearing decision points in a wide range of areas.

How Has the COVID-19 Pandemic Affected CMMC Rollout?

Though some disruptions have been caused by COVID-19, especially in regard to in-person training, Ms. Arrington notes that the pace for the rollout of the CMMC will not slow down in any way.

Innovations in online training and other resources will allow the CMMC rollout to continue moving forward within the same timeline initially prepared by the DoD. If anything, COVID-19 has emphasized an even greater need for organizations to enhance and standardize their cybersecurity and become certified as soon as credentials are available.

How Should Organizations Begin Preparing Today for Assessments?

Organizations should work to understand and meet the current CMMC model Level 1 requirements (17 controls) right now. Do not wait for the CMMC-AB to finalize certification processes and credential auditors.

Keep in mind that the DoD is following a strategic five-year plan to get the CMMC to apply to all DoD contracts. They are also in the process of a proposed change to the DFAR 252.204-7012 that refers to the 110 NIST 800-171R1 controls that you should be achieving if you handle Controlled Unclassified Information (CUI).

Organizations should understand that these cybersecurity measures are much more than a checklist; they are designed to revolutionize security culture and standardize best practices on how to combat threats. Working now to prepare your organization to comply with current CMMC controls is the first step in this process.

How SysArc an Help You Prepare for an Assessment:

We’ve helped over 1,000 DoD contractors throughout the U.S. navigate the complexities of DFARS, NIST 800-171, and now CMMC. Through our many experiences, we’ve fine-tuned several solutions that enable our clients to prepare to achieve compliance faster and at a lower cost compared to other solutions that have been popping up in the market recently.

To speak with our team about your company’s needs or the needs of your suppliers, give us a call at (866) 583-6946 or request a CMMC consultation online now.