The Defense Federal Acquisition Regulation (DFARS) established a rule to implement a Cybersecurity Maturity Model Certification (CMMC) framework to assess contractor implementation of cybersecurity requirements to protect specific data types within the DoD supply chain. CMMC Model 2.0 is currently within the rulemaking process with the objective to:

• Safeguard sensitive information to enable and protect the warfighter
• Enforce DIB cybersecurity standards to meet evolving threats
• Ensure accountability while minimizing barriers to compliance with DoD requirements
• Perpetuate a collaborative culture of cybersecurity and cyber resilience
• Maintain public trust through high professional and ethical standards

CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. 

Who does it apply to?

The primary purpose of CMMC practices and processes is to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

 FCI – means “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”

 CUI – is “government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government-wide policies.”

 CMMC is designed to assure the DoD that a contractor and or subcontractor can adequately protect FCI and CUI at a level in proportion with the risk. It is used to verify the implementation of processes and practices and certifying that a contractor and or subcontractor complies with the CMMC standard.

A contractor on a DoD contract needs to comply with the Standard. The contractor is required to obtain a CMMC certificate. If a contractor does not store or transmit CUI but does possess FCI, they must be certified at CMMC Level 1.

CMMC is based on the NIST 800-171 r2 security requirements organized across the following families:

• Access Control
• Awareness and Training
• Audit and Accountability
• Security Assessment
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Physical Protection
• Personnel Security
• Risk Assessment
• System and Communication Protection
• System and Information Integrity

How can Socium Security help?

Socium Security can provide assessment and program readiness services for organizations that are or will be processing FCI and / or CUI in support of federal contracts. This will establish a security roadmap and operational program to meet the Federal requirements.