With this final rule, posted on 10/15/2024, the DoD establishes the Cybersecurity Maturity Model Certification (CMMC) Program in order to verify contractors have implemented required security measures necessary to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). This rule is effective December 16, 2024. The mechanisms discussed in this rule will allow the Department to confirm a defense contractor or subcontractor has implemented the security requirements for a specified CMMC level and is maintaining that status (meaning level and assessment type) across the contract period of performance. The full published document can be found here.
The Defense Federal Acquisition Regulation (DFARS) established a rule to implement a Cybersecurity Maturity Model Certification (CMMC) framework to assess contractor implementation of cybersecurity requirements to protect specific data types within the DoD supply chain. CMMC Model 2.0 is currently within the rulemaking process with the objective to:
CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information.
Who does it apply to?
The primary purpose of CMMC practices and processes is to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
FCI – means “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”
CUI – is “government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government-wide policies.”
CMMC is designed to assure the DoD that a contractor and or subcontractor can adequately protect FCI and CUI at a level in proportion with the risk. It is used to verify the implementation of processes and practices and certifying that a contractor and or subcontractor complies with the CMMC standard.
A contractor on a DoD contract needs to comply with the Standard. The contractor is required to obtain a CMMC certificate. If a contractor does not store or transmit CUI but does possess FCI, they must be certified at CMMC Level 1.
CMMC is based on the NIST 800-171 r2 security requirements organized across the following families:
How can Socium Security help?
Socium Security can provide assessment and program readiness services for organizations that are or will be processing FCI and / or CUI in support of federal contracts. This will establish a security roadmap and operational program to meet the Federal requirements.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |