The Cybersecurity Maturity Model Certification (CMMC)

In 2020, the Department of Defense announced a new strategic effort to provide enhanced cybersecurity efforts for their building projects going forward. The Cybersecurity Maturity Model Certification (CMMC) will ensure accountability for companies to implement cybersecurity standards to protect sensitive data during the design, build and operations of DoD facilities. Through research grants by the John R. Gentille Foundation and ELECTRI International, a video series, along with official DoD CMMC documentation, has been produced by MCAA’s Chief Security Fanatic, Nick Espinosa to provide ongoing updates on CMMC changes as the standard evolves and in-depth tutorials on all 110 CMMC Level 2 security controls. 

Recently, the DoD has opened their review and comment period with the formal rules expected to go online around the fourth quarter of 2024 or the first quarter of 2025. The self-assessment phase for the DoD’s Supplier Performance Risk System (SPRS) that must be completed by every contractor working on a DoD project has been live since 2020 and all contractors should already have submitted a score or working towards submittal. The next phase, after the contractor aligned their organization to the proper CMMC security controls, requires a third-party assessment by a Certified Third-Party Assessor Organization (C3PAO). This is an assessment of a contractor’s cybersecurity practices in order to achieve formal certification for three years. At this time, the CMMC draft rules are being used for certification and this process will continue as the formal rules soon become law. 

The CMMC program includes cyber protection standards for companies in the Defense Industrial Base (DIB). By incorporating cybersecurity standards and practices into acquisition programs, CMMC provides the DoD with assurance that contractors and subcontractors are meeting these cybersecurity requirements. For plumbing, mechanical and service contractors working on DoD projects, this means that they will have to formally document their required implemented cybersecurity controls through policies, processes and collected evidence, which also includes any cloud providers in use by the contractor who also must meet more stringent standards for data security known as FedRAMP Moderate.  

CMMC Control Family Videos:

• 001 AC Access Control
• 002 AT Awareness and Training
• 003 AU Audit and Accountability
• 004 CM Configuration Management
• 005 IA Identification and Authentication
• 006 IR Incident Response
• 007 MA Maintenance
• 008 MP Media Protection
• 009 PS Personnel Security
• 010 PE Physical Protection
• 011 RA Risk Assessment
• 012 CA Security Assessment
• 013 SC System and Communications Protection
• 014 SI System and Information Integrity

Most Critical Documents from the DoD and NIST:

• “CMMC 2 Level 01 Self Assessment Guide” is the official guidance for CMMC Level 1 assessments and should be used for baseline guidance.
• “CMMC 2 Level 02 Self Assessment Guide” is the official guidance for CMMC Level 2 assessments and should be used for baseline guidance. Note: this Level 2 document also includes all controls for Level 1 as well so if the organization is achieving a Level 2 certification then they will not need the Level 1 document.
• “CMMC v1 to v2 Mapping Excel” is the official controls mapping to convert a CMMC version 1 one project to the newer CMMC version 2 standard.
• “Controlled Unclassified System Security Plan” is the official System Security Plan for CUI handling as required by CMMC. Guidance for this document is in red throughout the body of the text.
• “Dept of Defense Scoring Template for NIST 800-171” is the official scoring guide for organizations to understand what CMMC Level 1 and 2 controls they do and do not have implented.
• “NIST 800-34r1 Contingency Planning Guidance” is guidance how to properly create a contingency plan for the organization that is CMMC compliant.
• “NIST.SP.800-37r2 Risk Management Framework Guidance” is guidance on CMMC compliant Risk Management.