In response to several high profile compromises in the DIB (Defense Industrial Base) the Department of Defense issued the DFARS (Defense Federal Acquisition Regulation Supplement) 252.204-7012 clause. This clause requires Defense contractors to implement NIST SP (National Institute for Science and Technology Special Publication) 800-171 (NIST 800-171 r2) which is a catalog of security controls that are meant to increase your security and protect the departments Controlled Unclassified Information (CUI)
As companies implemented the DFARS 7012 clause many chose to defer several controls for years, not months. This signaled to the DoD that the companies had no real intention of implementing those controls, which troubled the DoD as it meant that the DIB was not as secure as they expected.
In response to these lax implementations the DoD decided to add an external certification component to the mix, as well as adding a few extra controls. This certification broke the NIST SP 800-171 controls into different levels so that contractors certification would be cominserate with the sensitivity of the information they process. We’ll get into the levels and what they mean later in this post.
Starting in Fiscal Year (FY) 21 CMMC will be added to a few contracts as go/no-go requirements in Sections L & M of RFPs (Request for Proposal). This means that in order to even bid on those contracts your company will need to be certified to the required level. As the FYs progress more contracts will include the CMMC requirement. The GSA STARS III contract already has CMMC as a requirement despite CMMC being fully rolled out.
Level 1: Requires that an organization performs the specified practices.
Level 2: Requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts.
Level 3: Requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation.
Level 4: Requires that an organization review and measure practices for effectiveness.
Level 5: Requires an organization to standardize and optimize process implementation across the organization.
For more information on the different levels check out our blog post on CMMC Levels.